All domains owned by an organization should be protected by DMARC at enforcement. Even though the organization may not send emails as these domains does not mean that bad actors will not. At a minimum, the domain’s DMARC policy should be set to DMARC Reject.

DMARC, SPF and DKIM for the domain should be delegated to Valimail. This allows the domain to be used to send legitimate emails in the future without needing DNS changes. 

In the Enforce interface, the domain should be set to Blocked. This can be done either on the Domains page or by navigating to the Configuration screen for the domain. Moving a domain to Blocked is a two stage process. The domain must first be moved to the Disabled state. The Disabled state sets the DMARC Policy for the domain to p=none and hides the ability to configure senders for the domain. Moving the domain from Disabled to Blocked continues to hide the ability to configure senders but changes the DMARC Policy to p=reject.