DMARC Enforcement Roadmap

This guide provides a structured approach to implementing DMARC and progressing from monitoring to full enforcement.

Overview

Moving to DMARC enforcement (p=reject) protects your domain from spoofing but requires careful preparation. Rushing to enforcement can break legitimate email delivery.

┌─────────────────────────────────────────────────────────────┐
│  Phase 1        Phase 2           Phase 3                   │
│  p=none    →    p=quarantine  →   p=reject                  │
│  Monitor        Soft Enforce      Full Enforce              │
│  2-4 weeks      4-8 weeks         Ongoing                   │
└─────────────────────────────────────────────────────────────┘

Phase 1: Discovery and Monitoring

Goal: Understand your email ecosystem before making changes.

Duration: 2-4 weeks minimum

Week 1: Initial Setup

DMARC Record:

v=DMARC1; p=none; rua=mailto:your-id@reports.mailshield.app

Tasks:

• [ ] Publish DMARC record with p=none
• [ ] Configure report delivery to MailShield
• [ ] Ensure SPF record exists (even if basic)
• [ ] Document known email sources

Week 2: Discovery

Tasks:

• [ ] Review incoming DMARC reports
• [ ] Identify all sending sources from reports
• [ ] Match sources to known services
• [ ] Flag unknown sources for investigation

Key metrics to track:

Metric	Target
Report coverage	Reports from major providers (Google, Microsoft, Yahoo)
Source identification	80%+ of volume from identified sources
SPF pass rate	Baseline established
DKIM pass rate	Baseline established

Weeks 3-4: Remediation

Tasks:

• [ ] Add missing services to SPF record
• [ ] Configure DKIM for services that support it
• [ ] Investigate and resolve unknown sources
• [ ] Re-check pass rates

Decision checkpoint: Ready for Phase 2 when:

• ✅ All legitimate senders identified
• ✅ SPF includes all sending services
• ✅ DKIM configured where available
• ✅ DMARC pass rate > 95% for known senders

Phase 2: Soft Enforcement

Goal: Test enforcement with safety net.

Duration: 4-8 weeks

Week 5-6: Initial Quarantine

DMARC Record:

v=DMARC1; p=quarantine; pct=10; rua=mailto:your-id@reports.mailshield.app

What happens:

• 10% of failing messages go to spam
• 90% delivered normally
• You see impact without full exposure

Tasks:

• [ ] Update DMARC record to p=quarantine; pct=10
• [ ] Monitor for delivery complaints
• [ ] Check reports for unexpected failures
• [ ] Verify no legitimate mail in spam

Week 7-8: Increase Coverage

Progression:

pct=10  →  pct=25  →  pct=50  →  pct=75  →  pct=100

DMARC Record (example at 50%):

v=DMARC1; p=quarantine; pct=50; rua=mailto:your-id@reports.mailshield.app

Tasks per increment:

• [ ] Update pct value
• [ ] Wait 3-5 days
• [ ] Check for delivery issues
• [ ] Review DMARC reports
• [ ] Proceed or rollback based on results

Week 9-12: Full Quarantine

DMARC Record:

v=DMARC1; p=quarantine; rua=mailto:your-id@reports.mailshield.app

Tasks:

• [ ] Remove pct tag (defaults to 100)
• [ ] Monitor for 2+ weeks at full quarantine
• [ ] Ensure no legitimate mail issues

Decision checkpoint: Ready for Phase 3 when:

• ✅ 2+ weeks at p=quarantine with no issues
• ✅ DMARC pass rate > 99% for legitimate mail
• ✅ No delivery complaints from users
• ✅ All authentication issues resolved

Phase 3: Full Enforcement

Goal: Maximum protection against spoofing.

Duration: Ongoing

Transition to Reject

Option A: Gradual (Recommended)

Start with percentage-based reject:

v=DMARC1; p=reject; pct=10; rua=mailto:your-id@reports.mailshield.app

Progress through: pct=10 → pct=25 → pct=50 → pct=100

Option B: Direct (If confident)

If quarantine phase was smooth:

v=DMARC1; p=reject; rua=mailto:your-id@reports.mailshield.app

Final Record

Production DMARC record:

v=DMARC1; p=reject; rua=mailto:your-id@reports.mailshield.app; adkim=r; aspf=r

With subdomain policy:

v=DMARC1; p=reject; sp=reject; rua=mailto:your-id@reports.mailshield.app

Decision Trees

When to Progress

Current phase stable for 1-2 weeks?
        │
        ├── No → Continue monitoring
        │
        └── Yes → Pass rate > 99%?
                        │
                        ├── No → Fix issues first
                        │
                        └── Yes → Any delivery complaints?
                                        │
                                        ├── Yes → Investigate and resolve
                                        │
                                        └── No → ✅ Safe to progress

When to Pause or Rollback

Pause if:

• New sender discovered that needs configuration
• Delivery complaints from legitimate recipients
• Pass rate drops significantly

Rollback if:

• Business-critical email failing
• Unable to resolve issues quickly
• Customer-facing email affected

Rollback Procedure

Step 1: Reduce enforcement immediately

# From reject to quarantine
v=DMARC1; p=quarantine; rua=mailto:your-id@reports.mailshield.app

# Or from quarantine to none
v=DMARC1; p=none; rua=mailto:your-id@reports.mailshield.app

Step 2: Investigate the issue

• Check DMARC reports for failing source
• Identify the service/sender
• Determine root cause

Step 3: Remediate

• Add to SPF if missing
• Configure DKIM if available
• Test authentication

Step 4: Resume progression

• Return to previous enforcement level
• Monitor for 1 week
• Continue progression

Metrics to Track

By Phase

Metric	Phase 1	Phase 2	Phase 3
DMARC pass rate	Baseline	> 95%	> 99%
Identified sources	80%+	95%+	100%
SPF pass rate	Baseline	> 90%	> 95%
DKIM pass rate	Baseline	> 90%	> 95%
Delivery complaints	N/A	Zero	Zero

Key Indicators

Positive signals:

• ✅ Consistent high pass rates
• ✅ No new unknown sources
• ✅ Zero delivery complaints
• ✅ Reports from major providers

Warning signals:

• ⚠️ New unidentified senders appearing
• ⚠️ Pass rate fluctuations
• ⚠️ Missing reports from expected providers
• ⚠️ User complaints about email delivery

Timeline Summary

Week	Phase	Policy	pct	Key Actions
1-2	1	none	-	Setup, initial discovery
3-4	1	none	-	Remediation, SPF/DKIM config
5-6	2	quarantine	10	Begin soft enforcement
7-8	2	quarantine	25-50	Increase coverage
9-10	2	quarantine	75-100	Full quarantine
11-12	2	quarantine	100	Stabilization
13-14	3	reject	10-50	Begin full enforcement
15+	3	reject	100	Production, ongoing monitoring

TIP

This timeline is a guideline. Move faster if your domain has simple email infrastructure, or slower if you have many third-party senders.

Special Considerations

Multiple Subdomains

Consider subdomain policy (sp) carefully:

# Enforce on main domain, monitor subdomains
v=DMARC1; p=reject; sp=none; rua=mailto:reports@...

# Enforce everywhere
v=DMARC1; p=reject; sp=reject; rua=mailto:reports@...

Parked/Unused Domains

Skip the monitoring phase for domains that don't send email:

v=DMARC1; p=reject; rua=mailto:your-id@reports.mailshield.app

Also add restrictive SPF:

v=spf1 -all

Acquisitions/Mergers

When acquiring new domains:

1. Start at Phase 1 regardless of parent domain status
2. Complete full progression
3. Consider separate report streams initially

Next Steps

• Email Source Discovery - Audit your senders
• Third-Party Senders - Configure external services