DIGISTR@T
Book a free check-upFree email health check

Blog  /  Authentication

Authentication

DMARC done right in 90 days: a plain-English plan for UK teams

17 June 20268 min read
Email Security and DMARC

DMARC does not need to be a six-month project or a leap of faith. With a clear plan and the right checks, a typical UK sender can move from none or monitor to enforcement in roughly 90 days, without breaking legitimate mail or harming campaigns already in flight.

This guide gives you a non-technical, phased cadence you can run with marketing, CRM, and IT together. It explains SPF, DKIM, DMARC, alignment, subdomains, and where BIMI fits. It also covers how to keep Microsoft 365 and Google happy as you move to quarantine then reject.

If you want a second pair of eyes, our free email health check gives you a quick read on where your authentication stands right now, and our Specialist services cover authentication setup directly if you would rather hand the implementation to a UK-based specialist than run it internally. But you can also use this as a do-first roadmap.

What DMARC is, in plain English

Think of SPF, DKIM, and DMARC as ID checks for email.

  • SPF (Sender Policy Framework) is your allowed-senders list. It tells receiving servers which services are permitted to send mail for your domain.
  • DKIM (DomainKeys Identified Mail) is a tamper seal. Your platform signs each message with a private key, and recipients verify it with a public key in DNS.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer that ties SPF and DKIM to your domain name. It says which check must pass and align, and what to do if a message fails.

Alignment is the key word. It means the visible from-domain in the email matches the domain that passed SPF or DKIM. You can pass DKIM but still fail DMARC if the signature is for another domain. DMARC alignment fixes that gap.

BIMI is a bonus. Once DMARC reaches enforcement, BIMI can display your logo beside messages at Gmail and others. Treat it as a benefit, not the goal.

The 90-day DMARC plan for UK senders

The aim is simple: inventory every sender, align and sign, watch reports, fix issues, then move policy to quarantine and reject without surprises. A measured, 90-day rollout gives you time to verify unknown senders, warm up any new subdomains, and step enforcement gradually with clear signals.

Month 1 (Weeks 1–4): discovery, inventory, and initial alignment

List every system that sends on your domain. Typical categories include:

  • Primary ESP or CRM platform
  • Product or app transactional mail
  • Helpdesk or ticketing
  • Finance tools that email invoices or receipts
  • Marketing automation, webinars, surveys
  • HR and applicant tracking
  • Security tools that send alerts
  • Legacy services no one remembers

Run an MX lookup and scan DNS to spot clues. Ask finance and IT about shadow tools. Send a test from each platform to your own mailbox and check headers to confirm the path.

Create or update SPF to include all legitimate senders. Keep it under 10 DNS lookups. Flatten excessive includes if needed, but prefer pruning unused services. Generate DKIM keys per platform and publish CNAME or TXT records as required. Use 2048-bit keys where supported.

Add a DMARC record at p=none with rua reporting to a mailbox you monitor. Turn on DKIM signing everywhere you can. Set sp=none for now if you plan to separate subdomains later.

Helpful background on the trio and what an SPF record is sits in Digistrat's explainer on DKIM, SPF, and DMARC.

Month 2 (Weeks 5–8): align and sign properly, then analyse reports

Now you make alignment true in practice and use reporting to validate changes.

  • SPF alignment: ensure the Return-Path (envelope from) domain matches your visible from-domain or an organisational subdomain you control. For third-party platforms, use a custom bounce domain or branded return-path to achieve alignment.
  • DKIM alignment: sign with your domain, not the platform's default shared domain. Most ESPs offer a custom DKIM domain. Use that.
  • Subdomain strategy: split streams so reputation is isolated. Common pattern in the UK is transactional on tx.example.co.uk and marketing on mail.example.co.uk. Keep corporate comms on the root if volumes are low and risk is small. Add DMARC at each subdomain with p=none for now.

Confirm that each sender is passing SPF or DKIM in alignment. One pass in alignment is enough for DMARC. Prefer DKIM alignment for bulk mail because SPF can break on forwarding.

Aggregate DMARC reports will now show who is sending, whether they pass, and where alignment fails. Use a parser you trust or route reports to a specialist. Unknown sources are common. Treat them calmly.

  • Unknown sources: check whether they are internal tools, security services, CRM add-ons, or a new marketing vendor. If legitimate, add them to SPF and enable DKIM with alignment. If not, block at the source and prepare to quarantine.
  • Common failure causes: platform using a shared DKIM domain, Return-Path not branded, mis-typed DNS records, SPF include limit exceeded, expired or rotated DKIM keys not updated, marketing links rewritten by security tools that break signatures, and forwarding paths that strip headers.
  • Microsoft 365 specifics: enable DKIM signing in Exchange Online for your custom domain and rotate keys. Avoid overlong SPF includes. Use a branded return-path if you are sending via a third-party tool with M365 as the domain owner.
  • Google specifics: verify sending domains and subdomains in Google Search Console where relevant, keep complaint rates low, and ensure DMARC alignment is consistent for bulk. Set up Google Postmaster Tools for domain-level signals.

If you are curious about wider inbox filtering and how to stop emails going to spam, Digistrat's guide to why emails go to spam explains the structural causes and what to change first.

Month 3 (Weeks 9–12+): move to enforcement without drama

Once unknown sources are handled and legitimate mail consistently passes in alignment over multiple weeks, progress your DMARC policy deliberately.

  • Move p from none to quarantine with pct=10–25. Hold for at least a week. Watch reports and user replies for any pain.
  • Step pct to 50 then 100 over subsequent weeks if reports stay clean.
  • Move to p=reject at pct=10–25. Hold, observe, then step to 50 and 100. Keep subdomain policies aligned. Set sp=reject when you are ready for all child domains.

BIMI can come in here. With DMARC at enforcement, publish your BIMI record and, for Gmail brand indicators, complete the Verified Mark Certificate if your logo and risk profile justify it. Treat BIMI as a trust and brand lift, not a substitute for strong deliverability.

Not sure where your domain currently stands in this sequence? Our free email health check will tell you in a couple of minutes whether you are at none, monitoring, or somewhere closer to enforcement, and what is likely holding you back.

Keeping Microsoft 365 and Google happy

  • Authenticate and align everything. DKIM-aligned at scale; SPF-aligned where practical.
  • Keep list hygiene and complaint rates under control. Warm up any new subdomain with modest, engaged volume before peak sends.
  • Separate streams by subdomain so a marketing spike does not drag down transactional receipts.
  • Use Google Postmaster Tools to watch domain-level spam rate and reputation. Use Microsoft SNDS for IP signals where applicable.
  • Monitor DMARC continuously. Policy is not set-and-forget.

If you want regular eyes on this, Digistrat's Ongoing Monitoring flags shifts early and supports incident response, so issues are caught before they affect inbox placement.

Troubleshooting quick wins

  • SPF fails often come from missing vendors, typos, or too many includes. Keep includes lean. Replace deprecated vendors promptly.
  • DKIM fails are frequently poor alignment or expired keys. Regenerate and repoint CNAMEs. Sign with your domain.
  • DMARC failing with a pass on SPF or DKIM usually means misalignment. Check the from-domain against the DKIM d= domain and the envelope from/bounce domain.
  • Forwarding will break SPF. Rely on DKIM for alignment in those paths.
  • Unknown senders in DMARC reports are not always attacks. Validate first, then enforce.

For a deeper check across all the deliverability layers, including reputation and architecture, a Deliverability Review and Fix can surface structural issues before campaigns ramp up.

FAQ

  • What is DMARC in simple terms? DMARC is a policy you publish in DNS that tells inboxes to trust messages that pass SPF or DKIM in alignment with your domain, and to report or block the rest.
  • Do I need SPF and DKIM before DMARC? Yes. DMARC relies on SPF and/or DKIM. At least one must pass in alignment for each message. In practice, you want both configured and DKIM-aligned for bulk.
  • Why is my DMARC failing and how do I fix it? Failures usually come from misalignment, missing vendors, expired DKIM keys, or too many SPF lookups. Inventory every sender, enable custom DKIM, brand the return-path, prune SPF includes, and retest until alignment is consistent.
  • How long does it take to implement DMARC properly? A typical UK sender can reach enforcement in about 90 days with a focused plan. Complex stacks or unknown senders can extend that timeline, but the phased cadence here works for most.
  • What happens if I do not enforce DMARC? Attackers can spoof your domain more easily, and mailbox providers treat you as less trustworthy. You also miss out on clean reporting and controls that improve deliverability over time.

A practical next step

If you are preparing autumn campaigns, this is the right quarter to move DMARC to enforcement and lock in trust before volumes rise. You can run the plan above internally, or book a free 15-minute check-up call and we will tell you, no obligation, exactly where your authentication stands and what the fastest safe route to enforcement looks like for your setup. If you want quick context on why inboxes filter mail the way they do, see our overview of deliverability and how providers decide where email lands.

Two helpful links as you act:

  • Read the plain-English guide to DKIM, SPF, and DMARC to confirm the building blocks.
  • Set up Google Postmaster Tools to watch domain reputation at Gmail as you move from none to reject.
  • Run our free email health check to see where your domain stands today.

Summary: inventory all senders, align and sign, turn on reporting, fix failures, then step to quarantine and reject with confidence over a measured 90-day window. Do it carefully once, and it will support your inbox placement and revenue all season.

Not sure if this applies to you?

Book a free check-up and we will walk through your sending situation. No obligation, no pitch.

Book a free check-up
James Deacon
James Deacon
Founder of Digistrat. UK email deliverability specialist with over a decade in email.
Back to blog

More on authentication

15 April 2026

SPF, DKIM and DMARC Explained (And Why Getting Them Wrong Is Costly)

Most marketing teams have heard of SPF, DKIM and DMARC. Fewer know what they actually do, how they work together, or what happens when they are not set up correctly. That matters, because misconfigured authentication is one of the most common causes of deliverability problems. Emails that should reach the inbox end up in spam. [...]

Not sure where your emails are landing?

Send a test email and we will walk through what we find in 15 minutes. No pitch. No obligation.

Book a free check-upFree. 15 minutes. No obligation.