Understanding DMARC Policies and the Path to Enforcement

Domain-based Message Authentication, Reporting and Conformance (DMARC) helps domain owners stop exact-domain impersonation, improve deliverability, and gain visibility into who sends email on their behalf. DMARC works on top of SPF and DKIM and instructs receivers what to do when a message fails authentication and alignment. This article explains each DMARC policy and outlines a safe, auditable path to enforcement, with practical notes on how DMARCFlow streamlines the journey.

What DMARC Policies Do

A DMARC record is a DNS TXT record that includes tags describing how receivers should treat failing messages. The most important tag is p (policy):

A Step-by-Step Path to Enforcement

1. Publish p=none with reporting. Start with RUA (and optionally RUF). Confirm that reports arrive and are parsed.
2. Inventory and authenticate all senders. For each service that sends as your domain, configure SPF and DKIM. Ensure alignment: the Return-Path domain (SPF) and DKIM d= domain should align with the visible From domain.
3. Use pct to phase in enforcement. Add pct=25 (or similar) while still on p=none plus sp for subdomain control if needed. Validate impact and raise pct gradually.
4. Move to p=quarantine. When compliance is high (many teams target 98%+ of legitimate mail passing), set quarantine. Continue monitoring bounces and spam-folder impacts.
5. Raise to p=reject. Once you are confident legitimate sources pass and align, switch to reject. Keep monitoring for newly discovered senders or configuration drift.
6. Maintain and improve. Treat DMARC as a program: rotate DKIM keys, review SPF lookups, audit new vendors, and watch for shadow IT and lookalike domains.

Key DMARC Tags to Know

• rua= Aggregate report destination(s).
• ruf= Optional forensic report destination(s) where permitted.
• pct= Percentage of failing mail to which the policy applies (useful for staged rollout).
• sp= Subdomain policy (can differ from parent domain).
• aspf= and adkim= Alignment modes (relaxed or strict) for SPF and DKIM.
• fo= Failure reporting options (forensically, where allowed).

Common Pitfalls (and How to Avoid Them)

• Staying on p=none forever. Monitoring is not protection. Define milestones to reach quarantine and reject.
• SPF too many DNS lookups. Refactor overly long SPF records; use include hygiene and guardrails.
• Misaligned DKIM. Ensure the DKIM signing domain is organizationally aligned with the From domain.
• No owner for a sender. Assign business and technical ownership to each mail source.
• Ignoring subdomains. Use the sp tag for subdomain policy and discover auto-created or legacy subdomains.

How DMARCFlow Supports the Journey

DMARCFlow is designed around the real-world path to enforcement: discover, authenticate, enforce, and maintain. Plans map to operational maturity and scale.

Standard Plan (fast start)

Specs: 5 domains, 3 users, 12-month data retention, up to 300k DMARC messages per month.

Features: RUA plus optional RUF ingestion; dashboards and trend analytics; source discovery; policy progression (none to quarantine to reject); alerts (anomalies, new senders, auth failures); PDF/CSV exports and scheduled summaries; webhook for basic automation; two-factor authentication; geo-maps; automatic subdomain discovery; safe SPF checks (linting, read-only guidance); basic MTA-STS and TLS-RPT visibility; multilingual UI; 8x5 email support; 99.99% uptime (Critical: 4 h; High: 1 business day). Price: 45 USD/month or 460 USD/year (–15%).

Enterprise Plan (scale and governance)

Specs: 25 domains, 10 users, 36-month data retention, up to 3M DMARC messages per month.

Features: Advanced RBAC and audit log; SSO (SAML/OIDC) and SCIM; advanced API (write where applicable); native connectors (Splunk, QRadar, Elastic); ticketing integrations (Jira, ServiceNow); data residency options (e.g., EU); RUF processing and viewer; dynamic and safe SPF management (flattening, auto-includes, lookup guardrails, suggested records); domain blacklist and brand-lookalike monitoring; adaptive alerts (Slack, Teams, SIEM); workspace and domain groups with granular access; BIMI readiness checks; MTA-STS and TLS-RPT hosting; 24x7 critical support with named TAM; 99.99% uptime (Critical: 30 min; High: 2 h). Price: 300 USD/month or 3,000 USD/year (–15%).

Enterprise+ Plan (outcomes and operational assistance)

Specs: Unlimited domains, 100 users, 60-month data retention, custom DMARC volume.

Features: Dedicated DMARC engineer and CSM; hands-on rollout (SPF clean-up, DKIM keying, staged enforcement); weekly operational check-ins and monthly executive reports; BIMI readiness and VMC coordination; threat intelligence and IP reputation enrichment; managed DKIM (key rotation); managed SPF (policy automation); quarterly executive business reviews and roadmap; custom data retention and BYO storage; named on-call escalation; multi-year discounts; 24x7 named escalation; custom runbooks and response SLAs; quarterly posture reviews; 99.99% uptime. Price: 500 USD/month or 5,000 USD/year (–15%).

Bonuses for Enterprise and Enterprise+

• Onboarding workshop (4 h remote)
• 30-day evaluation window (cancel anytime within 30 days)
• Monthly executive reports (deliverability, threat trends, ROI)
• Quarterly security briefings (threats and actions)
• Managed DNS updates and continuous monitoring
• Executive threat-simulation session (annual) with bespoke training plan

Takeaways

• Enforcement is the goal: reject stops exact-domain spoofing.
• Use pct, quarantine, and subdomain policy to de-risk the journey.
• Treat DMARC as an ongoing program, not a one-time project.
• DMARCFlow aligns features and support with each enforcement milestone, from first reports to full reject across many domains.