Skip to main content

Locking Down DMARC

Move your DMARC policy from none (monitoring only) to quarantine or reject (enforcement) to protect your domain from email spoofing.

Palisade's DMARC Agent manages the enforcement process through tickets. This is the safest approach because it ensures all legitimate sending sources are properly authenticated before tightening the policy.

How It Works

  1. Monitoring phase -- While Palisade is still analyzing your DMARC reports, enforcement tickets remain in the Upcoming state. During this time, resolve any authentication issues that the agent identifies.
  2. Enforcement readiness -- When the agent determines that your domain is ready, the DMARC stage changes to Enforcement and the enforcement tickets transition to Open.
  3. Apply the policy -- Open the enforcement ticket and follow the steps. Tightening your DMARC policy is as easy as moving a slider from none to quarantine or reject.
tip

Tickets stay in Upcoming until the agent is confident your domain is ready for enforcement. Do not rush this process -- resolving all authentication issues first prevents legitimate email from being blocked.

Option 2: Manual Enforcement (Advanced)

If you prefer to manage the DMARC policy yourself, you can update it directly from the Manage DMARC page.

warning

Before manually changing the policy, ensure the DMARC stage in Palisade shows Enforcement. Applying a strict policy before all sending sources are authenticated can cause legitimate email to be quarantined or rejected.

  1. Navigate to the Manage DMARC page for your domain.
  2. Change the policy from none to quarantine or reject.
  3. Save and publish the updated record.

Tips

  • Move policy progressively — go from none to quarantine first, monitor for at least a week, then move to reject. This staged approach minimizes the risk of blocking legitimate email.
  • Use the enforcement percentage — when moving to quarantine, start with a low percentage (e.g., pct=10) and increase it over several days. This applies the policy to only a fraction of failing mail, giving you time to catch issues before full enforcement.
  • Check in with customer teams — before enforcing, confirm with the domain owner that all their email services (marketing, CRM, support, transactional) have been identified and properly authenticated. Services set up by other departments are commonly missed.
  • Review the Senders List — confirm all pending sources before tightening the policy. Any unconfirmed legitimate sender will have its mail affected.
  • Watch for seasonal or infrequent senders — some services only send email occasionally (e.g., annual renewal notices, event invitations). Monitor for several weeks before enforcing to catch these.
  • Keep monitoring after enforcement — DMARC Agent continues to create tickets after enforcement. New sending services or configuration changes can introduce authentication failures at any time.