A step-by-step playbook for deploying DMARC on a UK business domain, from first monitoring record to full p=reject enforcement. Covers sender inventory, SPF/DKIM preparation, monitoring, gradual progression and the common pitfalls that derail rollouts.
p=none and monitorp=quarantinep=reject[email protected] or similar).parsedmarc).Before you publish any DMARC record, know who sends as your domain. The inventory is the single most important part of the whole rollout. Missed senders cause blocked legitimate mail at enforcement.
Walk through every business function:
For each, note: the domain it sends "from", the domain it signs with (if known), and whether it uses a shared-provider address or a custom sending domain.
For each inventoried sender:
d=firm.co.uk. See DKIM for Third-Party Senders.Authentication-Results header shows spf=pass, dkim=pass, and both aligning with your domain.Do not proceed to Phase 3 until every sender in the inventory passes both SPF and DKIM with aligned domains. This work is tedious but irreducible — skipping it just means you discover the problems during enforcement instead of during setup.
p=none and monitorPublish an initial DMARC record:
_dmarc.firm.co.uk. IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; fo=1"Wait. Aggregate reports begin arriving within 24-48 hours from the major receivers (Google, Yahoo, Microsoft). Feed them into your processing tool.
What to look for in the reports:
Spend 2-4 weeks in this phase. Do not rush. Every unresolved issue you find now is an issue that would have blocked legitimate mail at enforcement.
p=quarantineWhen reports show consistently clean authentication for every legitimate sender, tighten to quarantine:
_dmarc.firm.co.uk. IN TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]; fo=1"Now 25% of failing mail goes to spam. Watch reports for 1-2 weeks. No new issues → raise to pct=50, wait, then pct=100.
At each step:
p=rejectAfter p=quarantine; pct=100 has been stable for at least a week:
_dmarc.firm.co.uk. IN TXT "v=DMARC1; p=reject; pct=25; rua=mailto:[email protected]; fo=1"Ramp through pct=50 then pct=100. Finally, tighten alignment to strict (optional but recommended for mature deployments):
_dmarc.firm.co.uk. IN TXT "v=DMARC1; p=reject; adkim=s; aspf=s; pct=100;
rua=mailto:[email protected]; fo=1"Also publish sp=reject to lock down subdomains.
| Organisation | Typical timeline |
|---|---|
| Sole trader, hosted email | 2-4 weeks |
| 10-person UK SME | 4-8 weeks |
| 50-person firm, 5-10 SaaS senders | 8-12 weeks |
| 200-person organisation, 20+ senders | 3-6 months |
| Public sector body | 6+ months (governance and audit) |
sp= or individual subdomain records or lose protection on mail from any subdomain.p=reject.p=none as a permanent state. No protection; the rollout never finishes. Progress.p=none record and progress from there.
Q: Can I skip p=quarantine and go straight from p=none to p=reject?
A: Technically yes; practically no. Quarantine is a safety margin that catches missed senders before they are rejected outright.
Q: How long should I stay at each pct= value?
A: One to two weeks at each value is typical. Shorter if your sender landscape is simple; longer if complex or if you notice issues.
Q: Do I need to notify my mail receivers when I change policy?
A: No. DNS propagation is automatic. Receivers query your DMARC record on each evaluation and use whatever is current.
Q: What if I discover a missed sender during p=reject?
A: Emergency rollback to p=quarantine; pct=100. Fix the sender's SPF/DKIM. Wait a week. Re-progress to p=reject.
Q: Can a DMARC rollout proceed without touching SPF?
A: Only if DKIM authentication is strong enough alone. Most UK businesses benefit from both SPF and DKIM for redundancy — especially for forwarded mail.
Q: Is monthly a reasonable progression cadence?
A: Too slow for most UK SMEs. Weekly-to-fortnightly progression during the active rollout is usual. Monthly is reasonable for very large organisations with heavy governance overhead.
Q: What does "ready for p=reject" look like in aggregate reports?
A: 99%+ of known legitimate sending sources show dmarc=pass consistently for at least two weeks. New sources appear only sporadically and are always either caught spoofing or newly-onboarded services that you have already added to the inventory.
Q: Should I notify third-party senders before tightening DMARC?
A: For major senders (your marketing platform, CRM) it is courteous to confirm they expect correct authentication. Usually the third party is ready; just-in-case notification is not required.