Small teams feel the same phishing pressure as big ones. The difference is time and headcount – especially for SMBs if you don’t have a provider. You need a DMARC stack that is simple to deploy, safe to operate, and strict enough to block abuse. This guide takes a nerdy look at what matters and how a platform like DMARCFlow fits in for EU-focused teams.
Understanding alignment
DMARC checks that the visible From domain aligns with SPF or DKIM. Alignment can be relaxed or strict. Use relaxed for a steady start, then move to strict once all senders align.
1 2 3 | # DMARC record with relaxed alignment, reporting, and staged policy _dmarc.example.com. 3600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; adkim=r; aspf=r; pct=50" |
SPF record design pitfalls
SPF fails when DNS lookups exceed 10. Flattening without automation breaks during vendor changes. Prefer managed include trees and auto-flattening with cache control.
1 2 3 | ; Safer SPF pattern with bounded lookups example.com. 3600 IN TXT "v=spf1 include:_spf.mailhost.example include:_spf.crm.example ip4:203.0.113.10 -all" |
DKIM keys and rotation
Use 2048-bit keys. Rotate twice a year. Keep two selectors live during rotation. Verify alignment against the From domain.
1 2 3 4 | ; Two DKIM selectors during rotation selector1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..." selector2._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..." |
MTA-STS and TLS-RPT in production
MTA-STS enforces TLS on inbound mail. TLS-RPT gives visibility into transport errors. Start with mode testing, then enforce.
1 2 3 4 5 | ; mta-sts.example.com policy version: STSv1 mode: enforce mx: mx1.example.com max_age: 86400 ; TLS-RPT _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com" |
BIMI readiness
BIMI needs DMARC at p=quarantine or p=reject, a good reputation, and a VMC in many cases. Host the SVG over HTTPS. Keep the logo clean and square.
1 2 | ; BIMI record with VMC default._bimi.example.com. IN TXT "v=BIMI1; l=https://cdn.example.com/logo.svg; a=https://bimi.example.com/vmc.pem" |
Choosing a platform: what to check
- DNS safety: SPF lookup control, DKIM selector management, and subdomain policy handling.
- Report fidelity: fast RUA ingestion, optional RUF, and clear source grouping.
- Automation: sender discovery, guided fixes, and alerting.
- Data protection: GDPR compliance and EU data residency if you operate in Europe.
- Multi-domain: unified dashboards, shared policies, and role control.
How DMARCFlow handles EU data hosting
DMARCFlow is built and hosted in the EU. Data stays in Europe. That helps legal teams and auditors. The platform ships with clear dashboards, weekly reports, multi-domain monitoring, and role-based access. Setup is quick. Add records and start ingesting within a day.
Learn more on DMARCFlow.
Practical staging path for SMBs
- Publish p=none. Collect RUA data for two to four weeks.
- Fix misaligned sources. Add missing DKIM and SPF entries.
- Move to quarantine at 25 to 50 percent. Watch false positives.
- Enforce reject. Enable BIMI and transport policies.
Helpful internal resources
Bottom line
Pick a tool that prevents SPF lookup explosions, guides DKIM alignment, and keeps reports readable. Add EU hosting if you care about GDPR. DMARCFlow matches that profile for small and mid-size teams that want simple control with strong privacy.