@ @inbox.consulting
I inbox.consulting avatar inbox.consulting

Why DMARC Enforcement is the Single Most Important Thing You Can Do for Your Domain Today

DMARC Email Security DNS Anti-Spoofing

Your domain is probably being abused right now

If you haven’t checked your DMARC policy lately, there’s a good chance someone is sending emails from your domain without your knowledge. Spoofed invoices to your clients. Phishing emails to your staff. Fraudulent messages to your partners — all appearing to come from your legitimate domain.

This isn’t hypothetical. Industry data consistently shows that the majority of business domains with no DMARC enforcement are actively targeted for spoofing. The attackers don’t need access to your mail server. They just need your domain name and a willingness to abuse it.

DMARC enforcement stops this. And most businesses still haven’t done it.

What DMARC actually does

DMARC — Domain-based Message Authentication, Reporting and Conformance — is a DNS record that tells the world’s mail servers what to do with emails that claim to be from your domain but fail authentication checks.

There are three policy levels:

  • p=none — monitor only, take no action
  • p=quarantine — send failing emails to spam
  • p=reject — block failing emails entirely

Most businesses that have DMARC at all are sitting on p=none. That means they’re collecting reports but doing absolutely nothing to stop spoofed emails from reaching inboxes. It’s the equivalent of having a CCTV camera with no recording.

p=reject is where the protection actually kicks in. A properly enforced DMARC policy at reject means that any email claiming to be from your domain that doesn’t pass SPF or DKIM alignment gets blocked before it reaches the recipient — full stop.

Why most businesses never reach p=reject

The journey from p=none to p=reject breaks down in the same place every time: fear of breaking legitimate mail flows.

This fear is legitimate. Move too fast to reject without understanding all your sending sources and you risk blocking your own emails — transactional notifications, marketing campaigns, HR systems, accounting platforms. Any third-party service sending email on behalf of your domain needs to be properly authenticated before you enforce.

The correct path is:

  1. Deploy p=none and collect aggregate reports (rua)
  2. Analyse reports to identify every source sending as your domain
  3. Ensure each legitimate source has proper SPF and DKIM alignment
  4. Move to p=quarantine once all legitimate sources are confirmed
  5. Monitor for two to four weeks with no legitimate mail going to spam
  6. Move to p=reject

This process typically takes two to six weeks depending on how complex your sending infrastructure is. With proper tooling and expertise it can move faster.

What p=reject actually protects you from

Once you’re at full DMARC enforcement, several attack vectors close immediately:

Direct domain spoofing — Attackers can no longer send emails that appear to come from your exact domain. The receiving mail server checks your DMARC policy, sees p=reject, and blocks the message.

Business Email Compromise (BEC) — One of the most costly attack types involves impersonating executives or finance teams to authorise fraudulent transfers. DMARC enforcement makes exact-domain impersonation impossible.

Brand abuse — Phishing campaigns using your domain to target your customers get blocked before they reach inboxes, protecting both your customers and your sender reputation.

Deliverability improvements — A side effect of proper DMARC enforcement is improved inbox placement for your legitimate mail. Major providers like Google and Microsoft use DMARC policy as a trust signal.

The RFC 9989 update changes the calculus

In 2025 the IETF published RFC 9989, updating the DMARC standard for the first time since RFC 7489 in 2015. The update introduces the np tag — non-existent subdomain policy — allowing organisations to set a separate policy for subdomains that don’t exist.

This matters because attackers frequently spoof non-existent subdomains like payments.yourdomain.com or invoices.yourdomain.com that look legitimate but have no real mail infrastructure. Previously your base domain DMARC policy covered these inconsistently across providers. RFC 9989 gives you explicit control.

A modern hardened DMARC record now looks like:

v=DMARC1; p=reject; np=reject; sp=reject; adkim=s; aspf=s;
rua=mailto:dmarc-reports@yourdomain.com;
ruf=mailto:dmarc-forensics@yourdomain.com;
fo=1;

Each tag matters:

  • p=reject — enforce on your main domain
  • np=reject — enforce on non-existent subdomains (RFC 9989)
  • sp=reject — enforce on existing subdomains
  • adkim=s — strict DKIM alignment
  • aspf=s — strict SPF alignment
  • fo=1 — generate forensic reports on any authentication failure

Most businesses are running a fraction of this. The gap between a basic p=none record and a fully hardened policy is significant — and that gap is exactly what attackers exploit.

How to get there

If you’re starting from zero or stuck at p=none, the path forward is straightforward but requires discipline:

  • Audit your current DNS records and identify all sending sources
  • Confirm SPF and DKIM are correctly configured for each source
  • Set up DMARC reporting and analyse the data before tightening policy
  • Move through quarantine to reject methodically
  • Document everything so your team can maintain it

If you’re on Microsoft 365, the process integrates with Exchange Online, Defender for Office 365, and Entra ID — each of which has its own authentication configuration requirements that need to align with your DMARC deployment.

Getting to p=reject is not a one-afternoon job. But it’s the single most impactful change you can make to protect your domain, your customers, and your brand.

Need help getting to DMARC enforcement without disrupting your mail flow? Book a free audit call — we’ll review your current setup and give you a clear remediation path.