Our recommendation is to move to Enforcement as quickly as possible after reviewing all services and configuring only those that are confirmed to be used; we do not recommend sitting in Monitor (where policy = none) mode after that. It is a layered process and below can provide some guidance on how to approach switch policies.


Visibility

You want to start by getting visibility or monitoring who is sending on your behalf. This means having a policy=none, this will allow all messages passing and failing DMARC to send messages. It is important not to turn on a policy  (quarantine or reject) too soon as that may potentially block legitimate mail. There could be services you recognize and other's that you do not (shadow IT), whose business owners need to be tracked to confirm if they are being used.

A look into your existing SPF record can provide guidance as to what is has been used, but it may be outdated so it's equally important to insert as it is to remove services no longer being used.



Configuration

Once you confirm all senders being used, you need to configure the senders in your SPF record and DKIM keys, if supported. In addition, internal IPs or servers must also be added in the SPF record too as authorized senders.

During this step, there could be services that have to be set for dedicated subdomains. All services must be reviewed and configured before turning on any policy.


Policy

Once configurations are set on the top-level domain and subdomains, you are ready to move to a quarantine policy. Quarantine can work as a catch all and detect any additional services that may send messages once a quarter to still send messages without them being blocked. After this phase is finalized and all services have been configured, a reject policy can now be enabled. 


For more information on Managing DMARC records in our platform or general articles on policies, please check out other articles in this KB or on our blog.