Guides

DMARC Enforcement: SPF, DKIM, and p=reject Without Breaking Mail

How to move from SPF and DKIM basics to DMARC enforcement with p=reject, including monitoring, third-party senders, MTA-STS, and DANE.

DMARC enforcement is a staged configuration project

Most organizations stall at p=none because they do not have a complete sender inventory. The right path is audit, authenticate, monitor, quarantine, then reject.

Inventory every sending source

List Exchange Online, marketing platforms, CRM systems, ticketing platforms, billing systems, and any vendor sending on behalf of the domain. Every legitimate sender needs SPF alignment, DKIM alignment, or both.

Fix SPF and DKIM before raising the DMARC policy

SPF authorizes sending infrastructure. DKIM signs messages. DMARC checks alignment and tells receivers what to do with failures. Enforcement works only when legitimate mail passes alignment.

Move from p=none to p=quarantine to p=reject

Use aggregate reports to identify failures, correct vendors, and validate mail flow. Once legitimate senders pass, shift to quarantine and finally p=reject.

Add transport-layer protections

MTA-STS and DANE complement SPF, DKIM, and DMARC by improving protection for mail transport. They are useful once authentication records are stable.

Related Services

• Email Authentication Hardening Sprint
• Exchange Online Security Configuration Review