Home/ Resources/ email-security

DMARC Configuration Guide for Canadian SMBs

Step-by-step DMARC, SPF, and DKIM configuration for a Canadian SMB on Microsoft 365 or Google Workspace. The reject-policy ramp, the report-aggregator setup, and the seven recurring mistakes.

What’s inside

SPF, DKIM, DMARC — the three records in plain language. What each one does, why all three are required, what happens when one of them is wrong.
The four-stage ramp from p=none to p=reject. Months 1–6 quarantine then reject, with the report-aggregator interpretation that tells you when each stage is safe.
Tenant-specific instructions. Microsoft 365 admin centre, Google Workspace admin console — exact paths, exact field names.
Aggregator setup. Pointing your DMARC rua at a free aggregator (we recommend Postmark or dmarcian’s free tier) so you can read the daily reports without trying to parse XML.
Seven recurring mistakes. Forgotten Resend / Mailgun / Constant Contact sending domains, missing _dmarc subdomain alignment, the pct= partial-rollout footgun.

Who it’s for

A Canadian SMB sending transactional + marketing email from a custom domain, getting flagged in client inboxes, or warned by an insurer or auditor about email authentication gaps.

Pairs with

The PIPEDA Breach Response Playbook — breach-response context for the email-spoofing incidents this guide helps prevent.