DMARC Enforcement Roadmap

DMARC policy enforcement is a journey, not a destination. This guide walks you through safely progressing from monitoring to enforcement, protecting your domain from spoofing while maintaining email deliverability.

The Three Stages of DMARC Enforcement

Stage 1: p=none (Monitoring)

What it does:

  • Email is delivered regardless of DMARC results
  • Receiving servers still check authentication and generate reports
  • No enforcement happens
  • Failures are logged but not acted upon

Use case: Initial setup and discovery phase

DMARC Record:


v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Timeline: Start here, stay for 4-8 weeks

Goals in this stage:

  • Collect DMARC reports to see all senders
  • Identify which senders authenticate
  • Configure SPF/DKIM for discovered senders
  • Reach 95%+ authentication pass rate
Recommendation

Use SpoofWard's Email Source Discovery to identify all senders, then configure each with proper SPF/DKIM alignment before moving forward.

Stage 2: p=quarantine (Cautious Enforcement)

What it does:

  • Email that fails DMARC is moved to spam folder
  • Legitimate email still gets through (just in spam)
  • Gives you a safety net while catching spoofing attempts

Use case: Testing enforcement without breaking legitimate email

DMARC Record:


v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Timeline: 2-4 weeks

Goals in this stage:

  • Monitor DMARC reports for unexpected quarantine
  • If critical business email lands in spam, fix the sender auth
  • Confirm legitimate third-party services are correctly configured
  • Identify any senders you missed

When to progress:

  • No legitimate business email is being quarantined
  • Pass rate remains 95%+
  • No support tickets about missed email

Stage 3: p=reject (Maximum Protection)

What it does:

  • Email that fails DMARC is rejected outright
  • Receiving server refuses the connection for that message
  • Only authenticated email reaches inboxes

Use case: Final enforcement, maximum security

DMARC Record:


v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Timeline: Permanent

Goals in this stage:

  • Prevent spoofing attempts completely
  • Protect brand reputation
  • Meet compliance requirements
  • Demonstrate security controls

When you're ready:

  • All legitimate senders authenticate (100% ideally, 98%+ minimum)
  • No customer complaints about missing email for 2+ weeks
  • Leadership approval for enforcement

Assessing Readiness

Before moving between stages, assess your domain:

Readiness Checklist

  • 95%+ authentication pass rate for at least 2 weeks
  • All identified senders configured with SPF/DKIM
  • DNS health score above 85 (no critical issues)
  • Forensic reports showing no unexpected failures
  • No recent business changes that would add new senders
  • Team coordination - leadership aware of changes
  • Contingency plan - know how to revert if needed
  • Monitoring in place - alerts for authentication failures

Using SpoofWard's Readiness Assessment

SpoofWard provides an automated readiness check:

  1. Go to DMARC → Compliance Timeline
  2. Review current enforcement stage
  3. See automatically calculated readiness percentage
  4. Review blockers preventing advancement

The tool shows:

  • Current pass rate and trend
  • Senders still unauthenticated
  • Recent policy changes
  • Estimated time until ready for next stage

Step-by-Step Progression

From p=none to p=quarantine

Prerequisites:

  • 95%+ pass rate for 7+ days
  • All major senders identified and configured
  • No critical DNS issues

Steps:

  1. Backup current DMARC record - Copy the p=none record for reference
  2. Create p=quarantine record - Update your DMARC record:

   v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
  1. Update in DNS - Replace the current record with new one
  2. Wait for propagation - 24-48 hours for DNS to propagate globally
  3. Monitor closely - Check DMARC reports daily for issues
  4. Stay here 2-4 weeks - Ensure no legitimate email issues
  5. Review feedback - Ask users about missed email in spam

What to watch for:

  • Sudden spike in quarantine dispositions
  • User complaints about missing email
  • Critical business email bouncing
  • Email failures from known senders

If problems occur:

  1. Identify the problematic sender
  2. Configure their SPF/DKIM
  3. Wait for reports to improve
  4. Fix and re-test
  5. Once fixed, resume monitoring
Revert if Needed

If major email delivery issues occur, it's safe to revert to p=none immediately. No email will be lost.

From p=quarantine to p=reject

Prerequisites:

  • Maintained 95%+ pass rate for 3+ weeks at p=quarantine
  • No legitimate email lost/quarantined
  • All senders fully configured
  • Business approval for enforcement

Steps:

  1. Confirm readiness - Use SpoofWard's assessment tool
  2. Announce internally - Let team know enforcement is coming
  3. Create p=reject record:

   v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
  1. Update DNS - Replace the quarantine record
  2. Monitor intensely - Check reports hourly on first day
  3. Monitor daily - First week, check daily for issues
  4. Monitor weekly - Ongoing, check weekly

What to watch for:

  • Any authentication failures from known senders
  • Sudden email delivery complaints
  • Indicators of spoofing attempts being blocked
  • Pass rate remaining 98%+

Expected behavior:

  • Spoofing attempts completely blocked
  • Reports show all legitimate email authenticating
  • No customer impact
  • Reduction in phishing emails claiming to be from you

Staying at Each Stage

Maintenance at p=none

Even in monitoring mode, maintain your setup:

  • Monthly review of senders and authentication rates
  • Quarterly updates of SPF/DKIM configuration
  • Document all senders for future reference
  • Plan upgrade to next stage

Maintenance at p=quarantine

At quarantine enforcement level:

  • Weekly monitoring of quarantine events
  • Daily alerts for unexpected failures
  • Monthly sender review for new sources
  • Fast response if legitimate email is affected

Maintenance at p=reject

After reaching enforcement:

  • Daily review of DMARC reports (first month)
  • Weekly review thereafter
  • Monthly assessment of threat statistics
  • Annual policy review for optimization

Common Roadblocks and Solutions

Problem: Pass rate stuck below 95%

Likely cause: Unidentified senders or misconfigured ones

Solution:

  1. Review detailed DMARC reports
  2. Identify the top failing senders
  3. Contact them for SPF/DKIM configuration
  4. Add to SPF record
  5. Test with SPF Checker tool
  6. Re-run discovery
  7. Wait 48 hours for new reports

Problem: Critical business email still failing after p=quarantine

Likely cause: Sender configuration incomplete or service-side issue

Solution:

  1. Identify the specific sender/service
  2. Get exact SPF/DKIM requirements from their support
  3. Verify SPF include matches exactly (case-sensitive)
  4. Verify DKIM key is correctly published
  5. Use DKIM Checker to validate
  6. Contact their support if still failing
  7. May need to revert to p=none temporarily

Problem: Compliance team requires p=reject but pass rate is 93%

Likely cause: Over-aggressive timeline or missed senders

Solution:

  1. Get exact compliance requirement
  2. Understand what senders are failing
  3. Can senders be consolidated/removed?
  4. Request waiver or extended timeline
  5. Accelerate sender configurations
  6. Consider staying at p=quarantine if 93% is sustainable
  7. Some compliance allows phased enforcement

Problem: Sales team using unknown email service

Likely cause: New sender added without IT knowledge

Solution:

  1. Identify the service in email sources
  2. Get proper SPF/DKIM configuration from them
  3. Update your SPF record
  4. Add to your vendor list in SpoofWard
  5. Implement email service approval process
  6. Prevent future surprises

Using SpoofWard's Enforcement Wizard

SpoofWard provides guided progression tools:

Enforcement Wizard (Pro+ plans):

  1. Current stage assessment
  2. Automated readiness check
  3. Sender configuration guidance
  4. DNS record recommendations
  5. Risk analysis
  6. One-click policy update

To use:

  1. Go to Tools → Enforcement Wizard
  2. Review readiness assessment
  3. Address any blockers
  4. Follow wizard's recommendation
  5. Wizard can update your DMARC record automatically

Regulatory Requirements

Different regulations have DMARC requirements:

US - Email Authentication for Government:

  • Federal agencies must enforce DMARC at p=reject
  • Non-federal agencies encouraged to adopt
  • Timeline: Ongoing mandates

Europe - DMARC Adoption:

  • ECB requires DMARC for central bank communications
  • Industry standards recommend enforcement
  • No hard compliance date but rapidly adopted

Finance/Healthcare:

  • BEC (Business Email Compromise) prevention requires enforcement
  • HIPAA and PCI don't mandate DMARC but strongly recommended
  • Insurance companies often require evidence of enforcement

Check with your compliance team about specific requirements for your industry/jurisdiction.

Post-Enforcement Monitoring

After reaching p=reject, continue monitoring:

Weekly Review

  • Total message volume
  • Pass rate (should be 98%+)
  • Fail rate (should be <2%)
  • Top failures (should be minimal)

Threat Monitoring

  • Blocked spoofing attempts
  • Geographic anomalies
  • IP reputation issues
  • Forensic failures (should be minimal)

Quarterly Assessment

  • Overall security posture
  • Industry threat landscape
  • Policy optimization opportunities
  • Team feedback on email delivery

Related Documentation

Your domain is being tested right now.
Are you watching?

Protect your brand and improve deliverability — automatically, with continuous monitoring and alerts.

Start Free — No Credit Card View Pricing →