Deploy SLOWLY, We strongly recommend ramping up DMARC use slowly by employing these policies in this order.
First, monitor your traffic and look for anomalies in the reports, such as messages that are not yet being signed or are perhaps being spoofed.
Then, when you’re comfortable with the results, change the TXT record policy setting from “none” to “quarantine.”.
Once again, review the results, this time in both your spam catch and in the daily DMARC reports.
Finally, once you’re absolutely sure all of your messages are signed, change the policy setting to “reject” to make full use of DMARC. Revisit reports to ensure your results are acceptable.
Similarly, the optional pct tag can be used to stage and sample your DMARC deployment. Since 100% is the default, passing “pct=20” in your DMARC TXT record results in one-fifth of all messages affected by the policy actually receiving the disposition instead of all of them.This setting is especially useful once you elect to quarantine and reject mail. Start with a lower percent to begin with and increase it every few days.
So a conservative deployment cycle would resemble:
- Monitor all.
- Quarantine 1%.
- Quarantine 5%.
- Quarantine 10%.
- Quarantine 25%.
- Quarantine 50%.
- Quarantine all.
- Reject 1%.
- Reject 5%.
- Reject 10%.
- Reject 25%.
- Reject 50%.
- Reject all.
Attempt to remove the percentages as quickly as possible to complete the deployment. As always, review your daily reports.