Skip to main content
EU Web Security: 10 Steps to a Better Rating · Part 2

DMARC: From "none" to "reject" — in Three Steps

46.8% of EU websites have DMARC, but 63% set the policy to "none". Why that protects no one, and how to do it properly.

· SiteGuardian

Part 2 of the series "EU Web Security: 10 Steps to a Better Rating"

The Problem

Someone sends an email from ceo@your-domain.com to your customer. The email contains a payment request. It did not come from you.

Without DMARC: The receiving mail server has no way to verify whether the sender domain is legitimate. The email lands in the inbox.

With DMARC set to reject: The mail server checks SPF and DKIM, determines the email is not authorised, and rejects it. It is never delivered.

46.8% of European websites have a DMARC record. But 63% of those set the policy to none — meaning no enforcement. The domain remains spoofable, as if DMARC were not configured at all.

What We See in the Benchmark

From over 700,000 European websites:

  • SPF: 75.7% — most have the foundation in place
  • DKIM: 31.1% — fewer than one in three sign their emails
  • DMARC: 46.8% — but of those:
  • policy=none: 63% (monitoring only, blocks nothing)
  • policy=quarantine: 17% (routes to spam)
  • policy=reject: 20% (rejects outright — the only effective protection)

And then the misconfigurations: quarantaine, rejet, keiner, brak, beleidsnaam — typos that cause the record to be ignored entirely. The DMARC standard is strict: a single typo in the policy field and the entire configuration is discarded.

What Is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM:

  1. SPF checks: Is this mail server authorised to send on behalf of my domain?
  2. DKIM checks: Was the message altered in transit?
  3. DMARC says: What should happen when both SPF and DKIM fail?

Without DMARC, every receiving mail server decides on its own. With DMARC, you decide.

The Three Steps

Step 1: Set DMARC to none (Day 1)

Create a TXT record for _dmarc.your-domain.com:

v=DMARC1; p=none; rua=mailto:dmarc-reports@your-domain.com
  • p=none — no enforcement, monitoring only
  • rua=mailto:... — receiving servers send aggregate reports here

The reports show you who is sending emails on your behalf. You will often discover newsletter tools, CRM systems, or third-party services you had forgotten about.

Wait 2-4 weeks. Analyse the reports. Make sure all legitimate senders are SPF- or DKIM-aligned.

Step 2: Escalate to quarantine (Week 3-4)

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc-reports@your-domain.com
  • p=quarantine — unauthenticated emails go to the spam folder
  • pct=10 — only 10% of emails are treated this way (gradual rollout)

Monitor the reports. No complaints? Increase pct to 50, then 100.

Step 3: Escalate to reject (Week 5-6)

v=DMARC1; p=reject; rua=mailto:dmarc-reports@your-domain.com

Now spoofed emails are rejected outright. Your domain is protected.

SPF and DKIM Must Be Correct

DMARC only works if at least SPF or DKIM is correctly configured:

SPF: A TXT record for your-domain.com listing all authorised mail servers:

v=spf1 include:_spf.google.com include:spf.brevo.com -all

The -all at the end is critical — it says "reject all others". ~all (tilde) is a softfail and is often ignored.

DKIM: Your mail provider generates a key pair. The public key is published as a TXT record under selector._domainkey.your-domain.com. Ask your provider — most have a setup guide.

Common Mistakes

1. Forgetting third-party senders. Newsletter platforms (Mailchimp, Brevo), ticketing systems (Zendesk, Freshdesk), CRMs (HubSpot) — all send emails on your behalf. All must be included in your SPF record or sign with DKIM.

2. Ignoring subdomains. DMARC applies to subdomains by default. If marketing.your-domain.com sends emails, it must be covered too. Use sp=reject for a separate subdomain policy.

3. Not reading the reports. DMARC aggregate reports in XML are not human-friendly. Use a free report analyser (dmarcian, Postmark DMARC Tool) to understand what is happening.

Regulatory Context

  • NIS2 Art. 21(2)(j) requires measures for "supply chain security" — this includes securing email communication with partners and suppliers.
  • GDPR Art. 32 demands "appropriate technical measures" — email spoofing enables phishing, which leads to data breaches.
  • DORA Art. 7 requires the financial sector to identify and classify all ICT risks — email-based attacks are among the most common.

Check Your Domain

SiteGuardian checks SPF, DKIM, DMARC, STARTTLS, and MTA-STS in a single scan — and shows you not just whether the records exist, but whether they actually work:

https://siteguardian.io/scan

Next week in Part 3: Content Security Policy — the single most effective defence against XSS, missing on 89% of EU websites.

This article is part of the series "EU Web Security: 10 Steps to a Better Rating". Data from the SiteGuardian EU Web Security Benchmark covering over 700,000 European websites.

How does your website compare?

SiteGuardian scans your domain across six security dimensions — free, instant, no registration.

Scan your website

EU Web Security: 10 Steps to a Better Rating

This article is part of a weekly series on EU web security best practices.

SiteGuardian

2026-04-20

RSS