Deploying DMARC step by step
Deploying DMARC is less about writing one DNS record and more about running a controlled rollout: start in monitoring mode, discover every legitimate sender, fix alignment, then progressively enforce. Rushed enforcement is the number-one cause of dropped legitimate mail, so treat this as a staged migration.
Prerequisites
DMARC builds on SPF and DKIM, so confirm both are in place first:
- An SPF record covering every legitimate source (
v=spf1 ... -all), under the 10-lookup limit. - DKIM signing enabled at your mail providers, with 2048-bit keys published under selectors.
Verify a real message currently passes both and aligns with your From: domain before you touch DMARC.
Step 1 — Publish a monitoring record
Start at p=none. This changes nothing about delivery; it only requests reports.
_dmarc.example.com. IN TXT
"v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1"
rua— where aggregate (daily XML) reports go.ruf— forensic/failure reports (often unsupported for privacy reasons; optional).fo=1— request a report whenever any mechanism fails alignment.
If reports go to a different domain, add an authorization record there:
example.com._report._dmarc.reports-vendor.net. IN TXT "v=DMARC1"
Step 2 — Read the aggregate reports
Aggregate reports are XML, one per receiver per day, keyed by source IP:
<record>
<row>
<source_ip>198.51.100.10</source_ip>
<count>42</count>
<policy_evaluated><dkim>pass</dkim><spf>fail</spf></policy_evaluated>
</row>
<identifiers><header_from>example.com</header_from></identifiers>
</record>
Raw XML is painful at scale — feed it into a DMARC analytics tool. Build an inventory of every sending IP: marketing platform, ticketing system, HR tool, invoicing, help desk, your own MTAs. For each, confirm whether it passes SPF and/or DKIM and aligns.
Step 3 — Fix the legitimate senders
For every source that fails alignment:
- SPF fail — add the sender's
include:or IPs; watch the 10-lookup ceiling. - DKIM fail — enable DKIM at that provider and publish its selector; DKIM alignment is more forwarding-resistant, so prefer it.
- Neither aligns — either route that mail through an authenticated path or move it to a dedicated subdomain (e.g.
mail.example.com) with its own records.
Iterate until aggregate reports show ~100% of legitimate volume passing and aligned. This phase can take several weeks for a large organization.
Step 4 — Quarantine with a ramp
Move to quarantine, but roll it out gradually using pct:
"v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com; adkim=s; aspf=s"
pct=25 applies the policy to a random quarter of failing mail; the rest still gets none treatment. Increase 25 → 50 → 100 over successive weeks, watching reports for any legitimate sender you missed.
Step 5 — Enforce reject
Once quarantine at pct=100 is clean, move to full enforcement:
"v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s"
Don't forget subdomains. Set an explicit subdomain policy so a spoofer can't abuse an unused one:
"v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@example.com"
Alignment mode: strict vs relaxed
aspf=r/adkim=r(relaxed, the default) — same organizational domain is enough (mail.example.comaligns withexample.com).aspf=s/adkim=s(strict) — exact match required.
Relaxed is usually correct; use strict only when you fully control every subdomain sender.
The whole point of DMARC is
p=rejectwith high coverage. A domain left atp=noneforever is monitored but still spoofable — reporting is a means, enforcement is the goal.
Ongoing operations
- Keep reading aggregate reports; new SaaS tools appear constantly and will fail if not authorized.
- Rotate DKIM selectors periodically.
- Alert on spikes of failing volume from unknown IPs — that is often an active spoofing campaign.
How GottaPhish helps
Reaching p=reject stops exact-domain spoofing, but attackers respond with look-alike domains and display-name lures that DMARC can't block. GottaPhish and its expert support team help you close that residual gap: realistic simulations against precisely those vectors — cousin domains, mis-aligned senders — plus dashboards that map each attack to the users who fell for it. Our experts assist with setup, design scenarios that match your enforcement stage, and help you interpret the results so your DMARC rollout is paired with the awareness training that closes the human gap.
