Get Started
DMARC SPECIALISTS

DMARC
Done
Properly

Deployment, ongoing support, SPF flattening, managed hosting, and monthly reporting that an exec can actually read. We get domains to p=reject without losing legitimate mail.

Request a DMARC Audit → How DMARC Works
DMARC Setup, Managed Hosting & Reporting
p=reject
Target Policy (not p=none)
3–6 mo
Typical Time to Full Enforcement
24 hrs
Alert on New Senders
0
Legitimate Mail Lost in Our Engagements
Platforms & experience
Microsoft 365
CSP Partner
Google Workspace
Partner
DMARC
p=reject specialists
RUA / RUF Hosting
Managed reporting endpoint
SPF & DKIM
Full alignment
Founded 2001
25 years trading
Target policy: p=reject, not p=none
M365 & Google Workspace, both platforms
Managed RUA hosting included
Monthly executive summary, plain English
0 legitimate mail lost in our engagements
THE THREE RECORDS

SPF, DKIM, DMARC: each does one job. All three have to be right.

Most domains we audit have all three records published. Plenty still get spoofed. Knowing which record does what tells you where the gap is.

Who's allowed to send

A list of IP addresses authorised to send mail for your domain. The receiver checks the connecting IP against your list. Pass or fail, in DNS.

  • Published as a single TXT record at the root of your domain
  • Caps at 10 DNS lookups per evaluation; busy domains blow through it
  • Fails silently when a vendor rotates IPs that aren't in your record

Cryptographic proof the message is yours

The sending server signs each message with a private key. The receiver fetches your public key from DNS and verifies the signature. Tamper with the message, the signature fails.

  • One key per selector; M365 uses selector1 and selector2, Google uses 'google'
  • 1024-bit keys are weak in 2026; we rotate everything to 2048
  • Generated but not enabled is the most common DKIM failure we see

The policy that ties it together

SPF and DKIM only matter if you tell receivers what to do when they fail. DMARC publishes the policy (none, quarantine, reject) and asks for aggregate reports so you can see who's trying to send as you.

  • p=none is monitoring only; p=reject is the actual protection
  • Reports arrive as XML, usable only if someone is reading them
  • Alignment matters: the signing domain has to match the From address
Why this matters now

DMARC stopped being optional in 2024. Most domains haven't caught up.

For years, DMARC was something banks and large enterprises worried about. That ended in February 2024, when Google and Yahoo's bulk-sender requirements came into force: any domain sending more than 5,000 messages a day to Gmail or Yahoo users must publish a DMARC record. Microsoft 365 followed, tightening its inbound authentication filters. Campaigns from unauthenticated domains are now being junked or rejected outright.

Cyber insurance moved at the same time. We've been on renewal calls where the underwriter's questionnaire asks specifically for the p= tag, the RUA endpoint address, and whether reports are being monitored by a human or just an inbox nobody reads. "We have DMARC" at p=none stopped being a satisfactory answer sometime in 2025. What underwriters are now asking about DMARC has changed more in the past 18 months than in the previous decade.

Business email compromise is the other driver. By most measures it's the most expensive cybercrime category by reported losses, and nearly all of it relies on either a lookalike domain or a direct spoof. DMARC at p=reject kills the direct-spoof vector outright. If your domain isn't at full enforcement, someone with a mail server and ten minutes can send messages that look exactly like they came from your CFO. The mechanics of what p=reject actually does aren't complicated, getting there without breaking your own mail is where most organisations stall.

The bottleneck on every DMARC project we run is not the DNS work. It is reading the aggregate reports week after week, catching the new sender that marketing stood up on a Friday afternoon, and chasing a payroll vendor for a DKIM selector that was meant to land two months ago. That ongoing work is what most teams do not have capacity for, and it is the part of managed DMARC that actually keeps a domain at p=reject.

The ramp from p=none to p=reject takes three to six months for a typical organisation. The bottleneck is rarely technical. Finding out which IPs a payroll vendor uses, waiting for the helpdesk platform to publish a DKIM selector, watching the quarantine-phase reports daily so nothing legitimate catches, that's the work. We've done it enough times to know where it stalls and how to keep it moving.

WHAT WE DELIVER

What's Included

DMARC Deployment
Baseline audit, sender inventory, SPF and DKIM alignment, then a phased move from p=none through p=quarantine to p=reject.
Managed DMARC Hosting
We host your RUA and RUF endpoints, parse the XML, and surface what matters. Your DNS just points to us.
SPF Flattening
Untangle the 10-lookup limit. We flatten where it makes sense, leave dynamic ranges alone, and document every include so the next person isn't guessing.
DMARC Record Lookup
Free instant check of any domain's DMARC, SPF, and DKIM status. Know where you stand before we start.
Monthly Reporting
Aggregated RUA data, IP-by-IP source breakdown, alerting on new senders, and a monthly executive summary written in plain English. Not XML.
Ongoing Support
When marketing adds a new tool or your CRM rotates a sending IP range, we catch it before deliverability tanks. You get a human, not a ticketing portal.
HOW IT WORKS

How Deployment Works

01
Audit & Sender Inventory

Two-week observation at p=none. We map every IP, every selector, every include. Marketing always finds something they forgot.

02
SPF & DKIM Alignment

Fix the lookup-limit ceiling, rotate weak DKIM keys to 2048-bit, and align every legitimate sender. This is the heavy-lifting phase.

03
Quarantine Ramp

Move to p=quarantine with pct=10, then pct=25, then pct=100 over four to eight weeks. We watch the reports daily and pull back if anything legitimate is failing.

04
p=reject

Full enforcement. From here it's monitoring, monthly reporting, and a friendly heads-up the first time a new sender shows up unannounced.

Hand DMARC to people who do this every day.

Audit, deployment, SPF and DKIM alignment, the ramp to p=reject, managed RUA hosting, and a monthly executive summary written in English. We get domains to full enforcement without losing legitimate mail.

Request a DMARC Audit → Check your domain on TamingDNS
QUESTIONS

DMARC: The Honest Answers

For a small domain with two senders (Microsoft 365 and one marketing tool), four to six weeks. For a typical mid-market organisation with M365 plus a CRM, a marketing platform, an invoicing tool, a help-desk system, and a payroll provider, three to six months. The bottleneck is rarely technical. It’s getting straight answers from third-party vendors about which IPs and selectors they use.

If you’re at p=none, you have monitoring, not protection. Spoofers can still send mail as you and the receiving server will deliver it. The whole point of DMARC is the policy at p=quarantine or p=reject. Until you’re there, the record is doing nothing about active spoofing.

We see it in the next aggregate report, usually within 24 hours. With managed reporting we alert on new failing sources immediately, fix the SPF or DKIM gap, and the sender is back through. The reason we ramp pct=10 → 25 → 100 rather than flipping straight to 100 is exactly to catch this before it hurts.

Sometimes. SPF flattening converts vendor includes into static IPs, which works beautifully if those IPs are stable. It bites you when a vendor like Mailchimp or SendGrid quietly rotates IPs and forgets to tell you. For dynamic vendors we keep the include and find lookups to flatten elsewhere. Every flattening engagement comes with a documented re-check schedule.

Running it yourself means an XML parser, a database, dashboards, alerting, and somebody to read the reports every week. Most small and mid-sized organisations don’t have that capacity. Our managed service is priced per domain per month and includes deployment, hosting, the monthly executive summary, and reactive support. If you want a quote, the contact form below is faster than email.

Yes. DMARC is a DNS record on your domain. It doesn’t care which mail platform you use. We deploy DMARC for clients running M365 only, Google Workspace only, both (a transition or a hybrid setup), and for clients with third-party mail relays in front. The mechanics differ, the principle doesn’t.

If you’ve already reached p=reject and your brand is recognisable in inboxes, yes. The logo-in-inbox treatment in Gmail and Apple Mail is genuinely useful for trust and recognition. If you’re still at p=none, BIMI is a distraction. Get the authentication right first, then add the badge.

We do a baseline audit as the first step of every engagement: SPF record health (lookup count, syntax, included senders), DKIM selectors and key strength, the DMARC policy you’re publishing, alignment results across receivers, and any blacklist hits. You get a written read on where you stand before we commit to a deployment plan. Use the contact form below to request one.

A forgotten Mailchimp include. Marketing trials Mailchimp, IT adds it to SPF, marketing stops using it three months later, the include stays. Nine months down the line, when the SPF record creeps over 10 lookups for unrelated reasons, that ghost include is the first thing we cut. Inventory drifts. That’s why ongoing monitoring exists.

Hand DMARC to people who do this every day.

Audit, deployment, SPF and DKIM alignment, the ramp to p=reject, managed RUA hosting, and a monthly executive summary written in English. We get domains to full enforcement without losing legitimate mail.

Email us directly support@osh.co.za

Get in touch

Related services
Signatures done right, without breaking DKIM The signature platform that doesn't sabotage your authentication posture. Set p=reject on a Microsoft 365 tenant Tenant build, Conditional Access, Defender — the whole picture. Set p=reject on a Google Workspace tenant Workspace setup, hardening, and managed support from the same engineer.