How to set up DMARC enforcement without breaking your email
All dispatches
Email Security15 Oct 20256 min read

How to set up DMARC enforcement without breaking your email

🐑
Rodney
Head of Tech Realism · Black Sheep Support
Share this dispatch

For any UK SME operating in the digital age, email is the lifeblood of business communication. However, it is also the primary vector for cyber-attacks. Sophisticated criminals frequently use "spoofing"—impersonating your domain to send fraudulent emails to your clients, suppliers, or staff. If your business hasn't implemented Domain-based Message Authentication, Reporting, and Conformance (DMARC), your domain is effectively an open door for these bad actors. While the concept of DMARC enforcement can sound daunting, failing to implement it is a significant oversight that puts your brand reputation and regulatory compliance under the ICO’s gaze at risk. This guide will walk you through the process of moving from a vulnerable state to full enforcement without disrupting your legitimate business communications.

1. Understanding the DMARC Ecosystem: SPF and DKIM

Before you can enforce DMARC, you must ensure the two foundational pillars—SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail)—are correctly configured. Think of these as the "ID cards" of your email.

The Foundation

  • SPF (Sender Policy Framework): This is a DNS record that lists the specific IP addresses and services (like Microsoft 365 or Google Workspace) authorised to send email on behalf of your domain.
  • DKIM (DomainKeys Identified Mail): This adds a digital signature to your emails. It proves that the email hasn't been tampered with in transit and confirms it genuinely originated from your server.

If these are not set up correctly, moving to DMARC enforcement will cause your legitimate emails to be rejected by recipients, effectively breaking your own communications. We always recommend starting with a full audit of your current DNS records to ensure these are valid before proceeding.

2. The DMARC Policy Hierarchy

DMARC works by telling receiving mail servers what to do if an email fails authentication. You control this through a "policy" (the p= tag in your DNS record).

  • p=none (Monitoring Mode): This is the "safe" starting point. It tells receiving servers to deliver emails even if they fail authentication, but to send a report back to you. This is essential for visibility.
  • p=quarantine: Emails that fail authentication are sent to the recipient’s junk or spam folder.
  • p=reject: The ultimate goal. Emails that fail authentication are blocked entirely before they reach the recipient's inbox.

The mistake many IT managers make is jumping straight to p=reject. This is a recipe for disaster. The transition must be gradual, using data to inform your decisions.

3. The Implementation Strategy: The "Monitor-Only" Phase

The most critical step in setting up DMARC without breaking your email is the "Monitor-Only" phase. This period is not about blocking mail; it is about data gathering.

Why you need a reporting tool

When you set your DMARC record to p=none, you will start receiving XML reports from major email providers (like Outlook, Gmail, and Yahoo). These reports are difficult to read in their raw format. For a UK SME, we strongly recommend using a DMARC monitoring platform (such as DMARCian, PowerDMARC, or OnDMARC). These tools parse the XML files and provide a clear dashboard showing:

  1. Which services are sending email as you.
  2. Which IPs are failing authentication.
  3. Whether those failures are legitimate (e.g., a forgotten marketing tool) or malicious.

You should remain in this p=none phase for at least 30 days to capture the full cycle of your business email patterns, including monthly newsletters or occasional automated alerts.

4. Identifying and Fixing "Shadow IT"

During your monitoring phase, you will likely discover "Shadow IT"—legitimate services that your staff have signed up for without the IT department’s knowledge. This might include:

  • CRM platforms (Salesforce, HubSpot).
  • Marketing automation tools (Mailchimp, Dotdigital).
  • HR or payroll software that sends automated payslips.
  • Internal ticketing or support systems.

If these aren't listed in your SPF record or signed with DKIM, they will fail once you turn on enforcement. Use your monitoring dashboard to identify these senders. Contact the vendors to get their specific SPF include strings and DKIM setup instructions. Once added to your DNS, wait for the data to confirm that these services are now passing authentication before tightening your policy.

5. Gradual Enforcement: The Shift to Quarantine and Reject

Once your monitor reports show that 100% of your legitimate traffic is passing SPF and DKIM, you are ready to escalate.

The Gradual Rollout

  1. Start with a percentage (pct): You can use the pct tag to apply the policy to only a fraction of your mail. For example, p=quarantine; pct=25 means only 25% of failing mail is sent to spam.
  2. Monitor and increase: Watch your reports. If your legitimate traffic remains unaffected, increase to 50%, then 100%.
  3. Move to Reject: Once p=quarantine; pct=100 is stable, change the policy to p=reject. This is the "Gold Standard" of email security. It ensures that any spoofed email pretending to be from your domain is dropped entirely, protecting your brand from being used in phishing campaigns targeting your partners or customers.

Key Takeaways

  • Never rush: DMARC enforcement is a process, not a "set and forget" task. Rushing leads to undelivered business-critical emails.
  • Visibility is mandatory: Use a reporting tool to interpret DMARC reports. Trying to do this manually via raw XML files is inefficient and prone to error.
  • Review periodically: Your email ecosystem changes. New marketing tools and cloud services mean your SPF and DKIM records need regular maintenance.
  • Alignment is key: DMARC requires that the "Header From" address matches the domain used in SPF/DKIM. Ensure your email service providers are configured for "DMARC Alignment."
  • Compliance: Implementing DMARC is a clear indicator of a mature approach to cyber security, aligning with UK Cyber Essentials requirements and demonstrating due diligence under GDPR regarding data protection.

By following this methodical approach, you can harden your domain against impersonation while ensuring that your legitimate business communications remain seamless and secure. Remember, the goal of DMARC is not just to block attackers, but to provide a verified, trustworthy channel for your business to communicate with the world.

To take the next step

Book a Discovery Call

Back to all dispatchesEnd of Intelligence · BSS Digital Dispatch

Related dispatches

Why you need email filtering beyond basic spam protection
Email Security

Why you need email filtering beyond basic spam protection

# Why you need email filtering beyond basic spam protection For UK SMEs looking to stay ahead in the modern workplace, understanding email security is fundamen...

Business Email Compromise (BEC): The most expensive cyber threat
Email Security

Business Email Compromise (BEC): The most expensive cyber threat

# Business Email Compromise (BEC): The most expensive cyber threat For UK SMEs looking to stay ahead in the modern workplace, understanding email security is f...

What DMARC, DKIM and SPF actually do
Email Security

What DMARC, DKIM and SPF actually do

# What DMARC, DKIM and SPF actually do For UK SMEs looking to stay ahead in the modern workplace, understanding email security is fundamentally important. This...