EFROS

Resource · Email Security · Practical Guide

DMARC rollout guide.

From p=none to p=reject in 8 to 12 weeks without breaking legitimate mail. Practical phasing, common mistakes, and the tools that make the rollout tractable for a small or mid-sized business running Microsoft 365 or Google Workspace.

Rollout phases.

Phase 0 — Inventory

Week 1

Catalog every authorized sender for every domain you control: Microsoft 365, marketing platform, helpdesk, billing, payroll, CRM, factoring vendor, ELD vendor, anything that sends mail from your domain. Most environments miss two to five legitimate senders in the first pass.

Phase 1 — Visibility (p=none)

Week 1–4

Publish DMARC at p=none with rua reporting to a parser. This is monitoring only — no mail is affected. Reports show every IP sending mail claiming to be from your domain, the volume, and whether they pass SPF / DKIM alignment. Most environments find one or two surprise legitimate senders here that need to be authorized.

Phase 2 — Quarantine (p=quarantine)

Week 4–8

Move to p=quarantine with pct=10, then pct=25, then pct=50, then pct=100. Each step waits a week to confirm reports stay clean. Failed-alignment mail starts landing in recipient junk folders. Legitimate senders that were missed in Phase 0 surface as customer complaints — fix the SPF / DKIM, then proceed.

Phase 3 — Reject (p=reject)

Week 8–12

Move to p=reject with pct=100. Mail that fails authentication is rejected at the receiver before it reaches any recipient. Spoofed mail from your domain stops working from outside. This is the goal state — your customers can trust the From address on every message they receive.

Phase 4 — Maintain

Ongoing

Weekly DMARC report review during onboarding, monthly thereafter. New senders are authorized through change control. Quarterly SPF lookup audit (RFC 7208 limits to 10 lookups; growing vendor lists violate this). BIMI logo registration once p=reject is stable.

Common mistakes.

  • Going straight to p=reject without monitoring at p=none first — a missing legitimate sender lands as a customer-impacting outage.
  • Multiple SPF records on the same domain — RFC 7208 §4.6.4 says PermError. Always one SPF record per domain, with includes.
  • More than 10 DNS lookups in the SPF resolution chain — same PermError, same effect: receivers stop trusting SPF.
  • Forgetting to publish DKIM on every sending platform. Marketing tools, helpdesks, and billing platforms each need their own signing key.
  • Leaving DMARC at p=none indefinitely. Visibility-only mode does not stop spoofing — it only tells you about it.
  • Publishing DMARC on the parent domain but not on subdomains (subdomain policy = sp=). Spoofers use bare subdomains when the parent is locked.
  • Skipping MTA-STS. Without MTA-STS, an attacker downgrades the TLS handshake on inbound mail and reads the contents.

Tooling.

  • DMARC visibility platforms
    PowerDMARC, Valimail, Dmarcian, EasyDMARC, Postmark — all aggregate the XML reports into something readable.
  • Microsoft 365 admin center
    Native DMARC and DKIM controls under Email Authentication Settings.
  • Google Workspace admin
    DKIM management under Apps → Google Workspace → Gmail.
  • EFROS Free Security Score
    Surfaces current SPF / DKIM / DMARC state plus the visible gaps in 60 seconds.

FAQ.

How long does a full DMARC rollout take?

Eight to twelve weeks for a typical small or mid-sized business. The pace is bounded by how long you wait between phases to confirm reports stay clean, not by the technical change itself.

Will this break our marketing email?

Only if your marketing platform is sending unauthenticated mail, which most do not. Set the DKIM signing record at the platform, add the platform's SPF include, confirm reports show alignment, then proceed.

What about transactional email from our CRM / billing platform?

Same logic. Authenticate each platform individually. Phase 1 visibility catches anything that's currently unauthenticated.

Can we run DMARC without a third-party reporting platform?

Yes, but the XML aggregate reports are unreadable raw. A parser (free tier available from most vendors) makes the rollout tractable.

Check My SPF / DKIM / DMARC →Freight Broker Email Security