Implementing DMARC can be relatively quick, but it depends on the size and complexity of your organization, as well as the number of domains and third-party services you use to send emails. Here are the general steps to follow to implement DMARC:

• Identify the domains and third-party services you use to send emails. This could include email marketing tools, notification platforms, etc.
• Ensure that SPF and DKIM are already configured and properly registered for your domains.
• Publish a DMARC policy at the domain level using a DNS TXT record. This policy defines the rules for receiving emails sent from your domain.
• Test your DMARC configuration by sending emails from different sources and checking the headers of those emails. You should use tools such as DMARC.fr
• Adjust your configuration if necessary based on the results of your tests.
• Update your DMARC policy as needed based on your email security needs and strategy.

Overall, it is recommended to take the time to understand how DMARC works and how it can be used to improve your email security before deploying it. If you need help implementing DMARC, it is recommended to seek the assistance of an email professional or a reliable email service provider.

How long does it take to set up a DMARC policy in p=quarantine or p=reject?

It takes between 3 and 6 months for a heavily used domain. But the answer will depend on how quickly you and your providers can authenticate with SPF/DKIM the emails sent with your domain names, in accordance with your needs for domain reputation isolation and sending domain security. DMARC.fr provides you with a DMARC reporting analysis platform and the expertise to guide you through this process.

At dmarc.fr, we believe that the p=quarantine mode is a good compromise that satisfies the needs of the company, which is why, without ever hindering their enlightened will, we do not push our clients to switch to p=reject mode to the possible detriment of their operational efficiency. They are free to decide for themselves with the information we have been gathering in the field since 2017.

Ultimately, the decisions to move DMARC from p=none to p=quarantine, and then eventually from p=quarantine to p=reject are business decisions.

Do you prioritise the security of your users/customers/suppliers or the operational efficiency of your company?

Thank you to some of our competitors (the red stuff) for respecting this choice and no longer harassing our clients with recommendations disconnected from their operational realities. In addition, apple.com, sophos.com, bestbuy.com, renault.com, mercedes-benz.de, uber.com, docker.com, sendinblue.com, webex.com, bell.ca, etc. seem to have, by this date (14/12/2021), made the "p=quarantine" choice.