How should I configure DMARC for multiple domains and when should I implement a reject policy?

Summary

The provided answers collectively emphasize a phased approach to DMARC implementation for multiple domains. Begin by configuring SPF and DKIM, then deploy DMARC with a `p=none` policy to monitor email traffic and identify legitimate sending sources. Analyze DMARC reports to identify and correct authentication failures. Gradually transition to `p=quarantine` and finally `p=reject` only when confident that legitimate email is properly authenticated. Each domain should have its own DMARC record reflecting its specific sending practices. Continuous monitoring of DMARC reports is crucial. An ESP's DMARC policy is irrelevant if sending with your own domain. DMARC protects your domain's reputation, enhances deliverability, and provides insights into your email ecosystem, but it's not a primary defense against phishing.

Key findings

  • Phased Implementation: DMARC implementation should be a phased approach, starting with monitoring (p=none).
  • SPF/DKIM First: Configure SPF and DKIM before implementing DMARC.
  • Domain-Specific Records: Each domain requires its own DMARC record.
  • Continuous Monitoring: Continuous monitoring of DMARC reports is crucial for identifying authentication issues.
  • ESP Policy Irrelevance: ESP's DMARC policy doesn't matter if sending from your domain.
  • Visibility and Protection: DMARC offers visibility into email channels and protects your brand, but is not an anti-phishing tool

Key considerations

  • Reject Implementation: Implement the reject policy cautiously after thorough monitoring and fixing authentication failures.
  • Report Analysis: Carefully analyze DMARC reports to inform policy decisions.
  • Complexity of Mail System: Monitoring duration depends on the complexity of the mail system.
  • Subdomain Handling: Decide how to handle subdomain policies (inherit or unique).
  • Authentication Validation: Actively validate authentication setups during the deployment stages.

What email marketers say
8Marketer opinions

The provided advice consistently recommends a phased approach to DMARC implementation, starting with SPF and DKIM configuration. Then, deploying a DMARC record with a `p=none` policy for monitoring and data collection is crucial. This allows identification and correction of authentication issues before transitioning to `p=quarantine` and, eventually, `p=reject`. Continuous monitoring of DMARC reports is essential for maintaining deliverability and brand protection. Properly configured DMARC provides visibility into email channels, protects against unauthorized use of domains, and enhances email ecosystem security.

Key opinions

  • Phased Approach: DMARC implementation should be a gradual process, starting with monitoring and progressing towards enforcement.
  • SPF & DKIM First: SPF and DKIM setup is a prerequisite for effective DMARC configuration.
  • Monitoring is Key: Continuous monitoring of DMARC reports is essential for identifying and addressing authentication issues.
  • Brand Protection: DMARC protects your domain’s reputation and prevents unauthorized use, improving email deliverability.
  • Visibility: DMARC provides insights into your email ecosystem, helping to identify and address potential security threats.

Key considerations

  • Timing of Reject: Implementing a `p=reject` policy should only occur after thorough monitoring and correction of authentication failures to avoid blocking legitimate emails.
  • Data Analysis: Careful analysis of DMARC reports is necessary to make informed decisions about policy transitions.
  • Domain Scope: Consider the impact on multiple domains and subdomains when configuring DMARC policies.
  • Authentication Issues: Identify and resolve any authentication issues reported in DMARC reports before moving to stricter policies.
  • Long-Term Management: DMARC requires ongoing management and monitoring to maintain its effectiveness and protect against emerging threats.
Marketer view

Email marketer from Reddit shares the advice to deploy SPF and DKIM first. After that is done start with a DMARC record with p=none to begin collecting data and making sure everything is correct. Then deploy quarantine and finally reject once you are happy with the results.

December 2024 - Reddit
Marketer view

Email marketer from Postmark explains that using p=none helps you understand how your emails are being treated without impacting deliverability. It allows you to gather data and make informed decisions before implementing stricter policies. You should actively monitor the reports and adjust configurations as necessary.

January 2025 - Postmark
Marketer view

Email marketer from Mailjet shares that moving to a `p=reject` policy should only be done after careful monitoring of DMARC reports with a `p=none` or `p=quarantine` policy. This allows you to identify and correct any legitimate email sources that are failing authentication before you start rejecting emails.

June 2024 - Mailjet
Marketer view

Email marketer from SparkPost recommends a phased approach, starting with `p=none` for several weeks or months to gather data and identify any issues. Moving to `p=quarantine` should be done gradually, and `p=reject` only after careful analysis and resolution of all identified problems.

May 2022 - SparkPost
Marketer view

Email marketer from EasyDMARC emphasizes that DMARC provides visibility into email channels and allows businesses to protect their brand by preventing unauthorized use of their domains. Implementation should start with monitoring and gradually move to enforcement.

February 2022 - EasyDMARC
Marketer view

Email marketer from Proofpoint explains that DMARC protects your domain’s reputation, ensures better email deliverability, and provides valuable insights into your email ecosystem, helping you to identify and address potential security threats.

August 2024 - Proofpoint
Marketer view

Email marketer from ReturnPath emphasizes the importance of continuous monitoring of DMARC reports to identify and address authentication issues and potential spoofing attempts. Consistent monitoring helps maintain a healthy email ecosystem and protect your brand.

January 2023 - ReturnPath
Marketer view

Email marketer from AuthSMTP shares that SPF and DKIM needs to be setup before DMARC is configured. SPF ensures that the email is sent from an authorised server, and DKIM provides a digital signature to verify authenticity.

January 2023 - AuthSMTP

What the experts say
5Expert opinions

The experts recommend a phased DMARC deployment, starting with a 'none' policy to observe traffic and identify legitimate sending sources. Each domain should be treated separately, and an ESP's DMARC policy is irrelevant if you're using your own domain. DKIM and SPF are crucial for proper DMARC setup. A cautious approach to implementing 'reject' is emphasized, with thorough monitoring and analysis of DMARC reports recommended before transitioning from 'none' to 'quarantine' and then 'reject'. The monitoring period depends on the complexity of the mail system and the effort put into fixing issues. DMARC is not very effective against phishing.

Key opinions

  • Phased Deployment: DMARC should be deployed gradually, starting with a 'none' policy.
  • Domain Specific: Each domain needs to be treated separately regarding DMARC configuration.
  • ESP Irrelevance: An ESP's DMARC policy is irrelevant if sending with your own domain.
  • DKIM and SPF: DKIM and SPF are prerequisites for effective DMARC implementation.
  • Cautious Approach: Implement 'reject' cautiously, with thorough monitoring and analysis of DMARC reports.

Key considerations

  • Monitoring Duration: The duration of the monitoring period depends on the complexity of the mail system.
  • Phishing: DMARC is not a primary defense against phishing attacks.
  • Authentication Validation: Actively monitor reports and diagnose authentication failures to facilitate the transition to 'quarantine' and ultimately 'reject'.
  • Configuration Complexity: Proper configuration of DMARC involves understanding SPF and DKIM, and ESP involvement for return paths and signing.
  • Gradual Transition: Carefully transition from 'none' to 'quarantine' to 'reject' to avoid blocking legitimate email.
Expert view

Expert from Spam Resource, John Levine, explains that DMARC deployment should be phased. Start with a 'none' policy to observe traffic and identify legitimate sending sources. Gradually move to 'quarantine' and then 'reject' as confidence in the configuration increases.

November 2023 - Spam Resource
Expert view

Expert from Word to the Wise, Laura Atkins, emphasizes a cautious approach to implementing 'reject'. She recommends thorough monitoring and analysis of DMARC reports to avoid blocking legitimate email. Starting with 'none' and carefully transitioning is key.

July 2024 - Word to the Wise
Expert view

Expert from Email Geeks explains that DMARC is based on the domain in the From: field, allowing separate treatment for each mail stream with different domains. He also notes that an ESP's DMARC policy is irrelevant when sending with your own domain in the From: field; only your domain's policy matters. To properly set up DMARC, DKIM and SPF are needed, requiring each ESP to use a subdomain of your domain in the return path and to sign with your domain.

April 2021 - Email Geeks
Expert view

Expert from Email Geeks advises that the duration of monitoring a quarantine policy before moving to reject depends on the complexity and history of your mail system, as well as the effort invested in fixing issues. Actively monitoring reports and diagnosing authentication failures allows you to track the rate of real problems and transition when it's near zero.

February 2024 - Email Geeks
Expert view

Expert from Email Geeks recommends against immediately implementing a `p=reject` policy. He suggests monitoring mail streams with `p=none`, identifying and fixing issues for at least six months, especially if it's not a greenfield setup. He also adds that DMARC isn't particularly effective against phishing.

November 2022 - Email Geeks

What the documentation says
4Technical articles

The documentation collectively advises configuring each domain with its own DMARC record reflecting its specific sending practices and authentication results. Subdomains can inherit or have unique policies. A gradual implementation is recommended, starting with `p=none` for monitoring, then `p=quarantine`, and finally `p=reject` once confident in authentication. DMARC helps receiving systems verify email legitimacy by using SPF and/or DKIM and publishing a DMARC record to DNS.

Key findings

  • Individual Records: Each domain should have its own DMARC record.
  • Phased Implementation: Implement DMARC gradually, starting with `p=none`.
  • Email Verification: DMARC helps verify that emails are legitimately sent from your organization.
  • Authentication Methods: DMARC uses SPF and/or DKIM to authenticate emails.

Key considerations

  • Subdomain Policies: Decide whether subdomains should inherit parent domain policies or have their own.
  • Monitoring Reports: Actively monitor DMARC reports during the 'none' and 'quarantine' phases.
  • Authentication Confidence: Transition to 'reject' only when confident that legitimate email is properly authenticated.
  • DNS Publication: DMARC records need to be published to DNS to be effective.
Technical article

Documentation from DMARC.org explains that for multiple domains, each domain should have its own DMARC record. Each record should reflect the specific sending practices and authentication results for that domain. Subdomains can inherit the policy of the parent domain, or have their own distinct policies.

January 2025 - DMARC.org
Technical article

Documentation from RFC7489 details the DMARC standard and explains that the purpose of DMARC is to allow a sender to indicate that their messages are protected by SPF and/or DKIM, and tell a receiver what to do if neither of those authentication methods passes.

February 2022 - RFC7489
Technical article

Documentation from Microsoft explains that DMARC helps receiving mail systems verify that messages claimed to be from your organization were indeed sent by your organization. Creating a DMARC record is the first step and needs to be published to DNS.

January 2024 - Microsoft Learn
Technical article

Documentation from Google Workspace Admin Help advises to start with a DMARC policy of `p=none` and monitor the reports. Then move to `p=quarantine` and continue monitoring, before finally moving to `p=reject` once you are confident that only legitimate email is being authenticated.

April 2022 - Google Workspace Admin Help