# DMARC Configuration Guide for Canadian SMBs

> Step-by-step DMARC, SPF, and DKIM configuration for a Canadian SMB on Microsoft 365 or Google Workspace. The reject-policy ramp, the report-aggregator setup, and the seven recurring mistakes.

**Published:** 2026-05-16
**Categories:** email-security, smb

*This resource is gated behind an email opt-in on the HTML page. The PDF (RedactLabs-DMARC-Configuration-Guide-Canadian-SMBs.pdf) is delivered via a Resend email with a 72-hour HMAC-signed download link.*

---

## What's inside

- **SPF, DKIM, DMARC — the three records in plain language.** What each one does, why all three are required, what happens when one of them is wrong.
- **The four-stage ramp from `p=none` to `p=reject`.** Months 1–6 quarantine then reject, with the report-aggregator interpretation that tells you when each stage is safe.
- **Tenant-specific instructions.** Microsoft 365 admin centre, Google Workspace admin console — exact paths, exact field names.
- **Aggregator setup.** Pointing your DMARC `rua` at a free aggregator (we recommend Postmark or dmarcian's free tier) so you can read the daily reports without trying to parse XML.
- **Seven recurring mistakes.** Forgotten Resend / Mailgun / Constant Contact sending domains, missing `_dmarc` subdomain alignment, the `pct=` partial-rollout footgun.

## Who it's for

A Canadian SMB sending transactional + marketing email from a custom domain, getting flagged in client inboxes, or warned by an insurer or auditor about email authentication gaps.

## Pairs with

- The [PIPEDA Breach Response Playbook](/resources/pipeda-breach-response-playbook/) — breach-response context for the email-spoofing incidents this guide helps prevent.