DMARCsimple logo by CCMS

DMARC Implementation Checklist

A practical, step-by-step checklist for IT teams, MSPs and operations staff rolling out DMARC with DMARCsimple.

Phase 1 – Preparation

  • Identify all domains and subdomains, including parked or legacy domains.
  • Confirm who controls DNS (internal IT, MSP, registrar or cloud provider).
  • Inventory all platforms that send email:
    • Microsoft 365 or Exchange Online
    • Google Workspace
    • Transactional providers (e.g., SendGrid, SES, Mailgun)
    • Marketing platforms and CRMs
    • Support/ticketing systems
  • Verify each platform supports SPF and DKIM.
  • Create or access your DMARCsimple account.

Phase 2 – Configure SPF and DKIM

Ensure your authentication foundations are solid before enabling DMARC:

SPF

  • Confirm there is only one SPF record per domain.
  • Remove deprecated or unknown include: mechanisms.
  • Keep DNS lookups under the recommended limit (DMARCsimple can flag problems).
  • Verify all sending platforms are represented.

DKIM

  • Enable DKIM signing for each supported platform.
  • Publish the corresponding selector._domainkey records in DNS.
  • Check that the From: domain and DKIM domain are properly aligned.

Phase 3 – Enable DMARC Monitoring

  • Publish an initial DMARC record in monitoring mode, for example: 
    v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; fo=1; adkim=s; aspf=s
  • Confirm mailbox providers start sending aggregate XML reports.
  • Verify that DMARCsimple is ingesting and displaying these reports.
  • Review:
    • Top sending sources and providers
    • Failing IPs and services
    • Alignment failures (SPF, DKIM, DMARC)
    • Unexpected or unknown senders

Phase 4 – Fix Misconfigurations

  • Address SPF failures (missing includes, wrong IPs, multiple records).
  • Correct DKIM alignment issues on legitimate platforms.
  • Work with marketing and IT teams to update sending domains where needed.
  • Remove or block unauthorized senders and legacy services.
  • Verify subdomain behavior and update DMARC sp= policy if required.

Phase 5 – Move Toward Enforcement

Once legitimate email is consistently passing authentication, you can tighten enforcement:

  • Move from p=none to p=quarantine and monitor for 1–2 weeks.
  • Confirm that legitimate messages are not being incorrectly quarantined.
  • Gradually move to p=reject to block spoofed messages.
  • Optionally use pct= for phased rollout or sp= for subdomain policies.

Phase 6 – Ongoing Operations

  • Review DMARC reports in DMARCsimple on a regular schedule.
  • Investigate new or unexpected sending sources quickly.
  • Update SPF and DKIM when you add, remove or change email platforms.
  • Keep a simple change log for auditors and future team members.

Best practices

  • Treat DMARC as an ongoing process, not a one-time project.
  • Involve marketing, IT and security early.
  • Document decisions so future audits are easier.