Why This Matters Now
Since Gmail and Yahoo tightened bulk-sender rules in 2024, and with Microsoft 365 following similar patterns through 2025 and 2026, email that is not authenticated with SPF, DKIM, and DMARC is increasingly treated as spam or blocked outright. Regulators and cyber insurers also expect enforced DMARC as baseline hygiene. For Orange County SMBs, the practical outcome is simple: get DMARC to p=quarantine or p=reject, or watch your deliverability and your brand impersonation risk both decline.
The Three Records in Plain English
SPF (Sender Policy Framework)
A TXT record listing servers and services allowed to send on behalf of your domain. SPF breaks if you exceed 10 DNS lookups, so keep it clean.
DKIM (DomainKeys Identified Mail)
A cryptographic signature added to outbound messages, verified via public key in DNS. DKIM survives forwarding better than SPF and is what DMARC alignment relies on for many workflows.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
A policy record that tells receivers what to do when SPF or DKIM fails alignment (none, quarantine, reject) and where to send aggregate reports. DMARC is where you make policy decisions — SPF and DKIM are the sensors.
Step-by-Step Rollout
Step 1: Inventory Every Sender (Week 1)
List every service that sends email using your domain: Microsoft 365 or Google Workspace, CRM, marketing automation, billing, ticketing, e-commerce, HR, and any line-of-business app. Include printers and scanners that send-to-email. Missing senders is the number one cause of blocked legitimate mail.
Step 2: Publish Baseline SPF and DKIM (Week 1–2)
Build an SPF record that authorizes only the senders you own. Enable DKIM for your primary provider (Microsoft 365 or Google) and for each third-party sender that supports it. Many SaaS tools require a one-time DNS CNAME to delegate DKIM keys.
Step 3: Publish DMARC at p=none With Reporting (Week 2)
Start at p=none with rua= and ruf= addresses pointing to a DMARC report processor (several free tiers exist). This collects aggregate data without changing mail flow.
Step 4: Analyze Reports for 2–4 Weeks
Identify unauthorized senders, shadow IT, and legitimate senders you forgot. Fix SPF, add DKIM for missing services, and update vendor contacts. This is where most time is spent, and where most mistakes in other people's rollouts came from skipping.
Step 5: Move to p=quarantine at 25%, Then 100%
Use DMARC's pct= tag to phase enforcement. Monitor deliverability and reports at each step.
Step 6: Move to p=reject
Once quarantine at 100% is stable for at least two weeks with no legitimate failures, publish p=reject. Announce internally and keep reporting on.
Common Mistakes That Break Mail
More than 10 DNS lookups in SPF — use SPF flattening tools or consolidate senders
Multiple SPF records on the same domain — only one is allowed and the rest are ignored
Forgetting to authenticate subdomains used by marketing platforms
DKIM keys shorter than 2048 bits
Jumping straight to p=reject without reports — the fastest way to block payroll day mail
Not publishing BIMI once DMARC is enforced — you lose a branding win in supporting inboxes
Bonus: ARC and BIMI
For organizations that use mailing lists or forward heavily, ARC (Authenticated Received Chain) preserves DMARC results across hops where supported. Once DMARC is enforced, publishing a BIMI record with a VMC logo adds your verified logo to supporting clients — a small but visible trust signal for customers.
Quick Checklist
One consolidated SPF record under 10 DNS lookups
DKIM enabled on primary and all bulk third-party senders
DMARC at p=reject, 100%, with aggregate reports flowing
Subdomain DMARC policy (sp=) explicitly set
BIMI published with a VMC where it makes sense
Quarterly review of reports for new senders and anomalies
Frequently Asked Questions
Will DMARC at reject break my ticketing or CRM email?
Not if you authenticate them first. That is exactly what the monitor phase catches.
We use Microsoft 365 — is there a simpler path?
Yes. Microsoft's guidance plus a DMARC reporting tool covers 90 percent of small SMB cases.
How long does a full rollout take?
Four to eight weeks for most SMBs. Larger or marketing-heavy companies take longer.
Is DMARC required by PCI or HIPAA?
Directly referenced by PCI 4.0.1 for anti-phishing; de facto expected for HIPAA as part of technical safeguards. See our posts on PCI 4.0.1 and HIPAA checklist.
Need a Hand?
BitBlockIT runs DMARC programs for Orange County SMBs end to end, including SPF cleanup, DKIM for every sender, and a quarterly review cadence. Contact us or explore managed cybersecurity. Related reading: deepfake and CEO fraud and cybersecurity basics.
BitBlockIT provides managed IT services, cybersecurity, cloud solutions, and IT consulting for Orange County and Southern California businesses. This page may describe our services, areas we serve, resources, blog, or contact information.
Loading…
