A DMARC deployment timeline can vary depending on the size of an organization, the number of domains involved, and the complexity of email infrastructure. However, there are general steps and best practices that can be followed to ensure a smooth and successful DMARC deployment. The following checklist outlines these steps, from creating a list of domains to maintaining DMARC compliance after deployment.
Keep in mind that deploying DMARC requires coordination and communication across many departments, so a project management mindset is crucial.
Phase 1: Preparation (Weeks 1-2)
- Identify the project team and stakeholders.
- Establish a timeline and allocate resources.
- Create a list of all domains that need to be protected.
- Determine who is responsible for each domain.
- Educate the team and stakeholders about DMARC and its benefits.
Phase 2: DMARC Record Deployment (Weeks 3-4)
- Publish DMARC records for all domains using a "p=none" policy and enable aggregate reporting via the "rua" tag.
- Monitor DMARC reports for at least six weeks to identify legitimate sending sources and servers that need to be remediated.
Phase 3: Source Compliance (Weeks 5-8)
Identify the stakeholders responsible for each email source.
- Confirm if the source is legitimate and approved by the organization.
- If the source is not legitimate, communicate to the stakeholder that usage of the domain has not been permitted and emails will be blocked.
- Communicate to the source stakeholder the actions that need to be taken to achieve DMARC compliance.
- Identify and document the changes required to achieve DMARC compliance with the source.
- Test the changes and monitor data for a minimum of seven days.
Phase 4: DMARC Enforcement (Weeks 9-12)
- Set DMARC policy to "p=quarantine" or "p=reject" for all domains.
- Monitor DMARC reports to ensure compliance.
- Disallow unauthorized use of your domains by implementing controls such as DMARC policies, DKIM, and SPF.