DMARC enforcement journey — from p=none to p=reject
Took us 6 months to go from p=none to p=reject across our domain. Sharing the journey:
Month 1-2: Deploy DMARC with p=none and aggregate reporting. Used dmarcian to visualize who's sending as our domain.
Surprise findings:
- Marketing team using 3 different email platforms (Mailchimp, HubSpot, custom SMTP)
- Old dev server still sending test emails
- A former vendor's system still sending on our behalf
Month 3-4: Fixed all legitimate senders (added SPF includes, configured DKIM). Moved to p=quarantine.
Month 5-6: Monitored quarantine reports. Zero false positives. Moved to p=reject.
Result: Spoofed emails impersonating our domain dropped from ~200/week to 0 delivered.
Six months is actually fast. We took 9 months because of legacy applications sending email that nobody documented. The discovery phase is the hardest part.
For anyone starting this: set up DMARC reporting first and actually read the reports for at least 30 days before making any policy changes. Tools like dmarcian, Valimail, or even free parsers help visualize it.
The marketing team issue is universal. Every company I audit has shadow email senders. Marketing signs up for a new tool, enters SMTP credentials, and never tells IT. DMARC discovery is the only way to find them all.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access