CIS & MS-ISAC DMARC implementation guidance

The Center for Internet Security (CIS) is a globally recognized nonprofit – started in 2000 – dedicated to enhancing cybersecurity for organizations of all sizes. CIS is best known for the CIS Controls® and CIS Benchmarks™, widely used best practices for securing IT systems. It also funds the Multi-State Information Sharing and Analysis Center ® (MS-ISAC), which provides threat intelligence, incident response and recovery guidance, and actionable insights to State, Local, Tribal, and Territorial (SLTT) government entities in the U.S..

CIS has developed practical guidance to help organizations understand Domain-based Message Authentication, Reporting, and Conformance (DMARC) implementation. DMARC is a critical email security standard that helps prevent phishing, spoofing, and other email-based attacks.

Why DMARC implementation matters

Email remains one of the primary attack points for cybercriminals. Phishing, Business Email Compromise (BEC), and domain spoofing continue to cause significant financial and operational damage. DMARC implementation increases the chance that only authorized email senders use a company’s domain, blocking fraudulent messages before they reach inboxes.

DMARC works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate emails, allowing domain owners to specify how unauthenticated emails should be handled (monitored, quarantined, or rejected).

Key recommendations on DMARC implementation

The CIS and MS-ISAC guidance outlines a structured approach to DMARC implementation to maximize security while ensuring uninterrupted email communication. Their best practices include:

1. Aligning SPF, DKIM, and DMARC

• SPF: Configure DNS records to specify which email servers are authorized to send emails on behalf of the domain.
• DKIM: Enable DKIM signatures to authenticate outgoing emails and reduce the risk of tampering.
• DMARC policy: Define how unauthenticated messages should be handled, progressing from p=none to p=quarantine and eventually to p=reject.

2. Gradual implementation with monitoring

Businesses should start with a monitoring policy (p=none) to collect reports on how their domain is being used. This step ensures that all legitimate email sources are identified and properly configured before moving to more restrictive policies.

3. Using a phased approach

Once email authentication mechanisms are verified and properly configured, organizations should strengthen their DMARC policy over time to better protect their domain, following these suggestions:

• Week 1: p=quarantine, pct=10
• Week 2: p=quarantine, pct=25
• Week 3: p=quarantine, pct=50
• Week 4: p=quarantine, pct=75
• Week 5: p=quarantine, pct=100
• Week 6: p=reject, pct=10
• Week 7: p=reject, pct=25
• Week 8: p=reject, pct=50
• Week 9: p=reject, pct=75
• Week 10: p=reject, pct=100

By gradually enforcing DMARC policies, companies can reduce the risk of blocking legitimate emails.

4. Regularly reviewing DMARC reports

DMARC provides detailed reports on email authentication failures. Businesses should:

• Monitor aggregate and forensic reports to detect unauthorized email sources
• Identify and fix misconfigured legitimate email senders
• Continuously adjust SPF and DKIM records to improve authentication rates

The benefits of full DMARC implementation

A p=reject DMARC policy provides the highest level of protection by ensuring that fraudulent emails are blocked before they ever reach recipients. According to CIS and MS-ISAC, enforcing DMARC at this level:

• Protects against phishing attacks that impersonate trusted domains
• Protects brand reputation by preventing cybercriminals from using businesses’ names
• Enhances visibility with reports containing detailed information on unauthorized senders

The CIS and MS-ISAC guidance provides a clear and actionable roadmap for effective DMARC implementation. By following their approach, organizations can strengthen their email security posture without disrupting legitimate email communications.

For businesses, government agencies, and nonprofits alike, DMARC implementation is no longer optional—it’s a cybersecurity necessity.

Learn about CIS and MS-ISAC’s recommendations in their blog, or find out more about DMARC with our resources below.