Our recent webinar, “New Year, New Cybersecurity Goals: Why 2025 is the Year of DMARC”, brought together industry experts to discuss the evolving email security landscape. With major regulatory changes from Google, Yahoo, and PCI DSS, plus the rising threat of phishing attacks, it’s clear that DMARC is more critical than ever.
During the session, we received insightful questions from our audience, covering everything from DMARC adoption challenges to practical implementation strategies. While we couldn’t address all of them live, we’ve compiled this blog post to cover the most important ones. Let’s jump into the Q&A.
Your Webinar Questions Answered
What do you think? How long will it take to have a reality where not only DMARC implementation is required but also the proper enforcement policy for it?
This is a very good question, but it’s hard to say exactly; recently, the adoption of DMARC grew a lot from the new Google and Yahoo requirements, and DMARC enforcement became mandatory for businesses in the finance/bank or even anyone processing credit card payments online. We’ll see what the future holds, but a future where DMARC enforcement becomes mandatory, like having HTTPS for your websites, is very likely.
Can you guys hit on the importance of configuring these records for parked domains as well?
Yes, it’s very important that you have proper configuration done for your parked domains mainly because you can prevent phishing or spoofing attacks from them; for example, if you have parked domains that look like your main and have no DMARC record, attackers can use this to their advantage and send malicious emails from them, so best practice would be to have at least a DMARC record for parked domains with an enforced reject policy, and monitoring enabled.
What do you think is better, DANE or MTA-STS?
These are very similar in terms of functionality since both rely on TLS encryption; MTA-STS will give you the ability to enforce that for inbound emails, along with TLS-RPT, allowing you to get the reports and analyze them.
Have you seen BIMI drive interest or adoption in DMARC? I see that as a business focused driver to getting DMARC in place.
Yes, we have, especially in businesses where security isn’t a high priority, but email is since it might or is bringing a lot of money for that business. Having the logo and a blue checkmark attached to all outbound emails is really a nice thing to have, and well, it does require DMARC enforcement, so…
How does BIMI fit in here as well as ARC?
Both do complement DMARC and BIMI in terms of brand and trust, and ARC complimenting it with security, impacting your domain reputation and deliverability in a positive way.
How long should we monitor before changeing to Reject?
After proper configuration for SPF/DKIM, you should keep an eye on the reports to confirm things are good for at least two weeks and then move to quarantine. At least two weeks more are needed to move the quarantine policy to reject. Of course, companies with larger email infrastructure need more time to monitor.
If you have a mail service that is legit but is not able to configure a DKIM records how do you set up a DMARC record beyond p=none?
In 2025, it really is not a good idea not to have DKIM configured on an email-sending server; from our experience, we can say that all email servers can be configured with DKIM, even if they are dedicated servers running postfix. Try to install OpenDKIM in that case and configure DKIM by following the guides online; relying on SPF only is not ideal for DMARC enforcement if your server is sending a lot of outbound emails.
Is DMARC ‘set it and forget it’?
Not really, especially for larger infrastructures; any outbound email changes would also require DMARC configurations, so ongoing monitoring is best here.
I used p=none for a month and saw a lot of DKIM/SPF failures (all from scammers) in the aggregate reports. I changed to p=reject, pct=100, etc., and expected to get forensic reports but got none. Am I misunderstanding how that is supposed to work?
Failure or forensic reports have a trigger tag in the DMARC record “”fo=””. Depending on your setting, they will get triggered, and they are not reliant on your “”p=”” policy tag, also please keep in mind that failure reports are hard to come by since they have very limited support from big ESPs
How do “remailers” (groups.io, groups.google.com, etc) handle DMARC? Could they break SPF (and maybe DKIM, too)? Will p=reject cause recipients to reject mail that has gone through remailers?
That’s a very technical question; some downgrade the policy you have for DMARC, and some sign emails with proper configurations, but so far, we haven’t had an issue with any “remailer” during DMARC enforcement.
The discussion in our webinar reinforced one key takeaway: 2025 is a pivotal year for email security. Organizations that prioritize DMARC now will not only meet compliance requirements but also strengthen their domain protection and brand reputation.
If you missed the live session or want to revisit key insights, you can access the webinar recording. Stay tuned for more discussions, and if you still have questions, feel free to reach out. We’re here to help you simplify your DMARC journey!
We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.
You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us