Fixed-scope 30-day engagement

DMARC Enforcement Sprintfrom p=none to p=reject, safely

A fixed-scope 30-day sprint that takes your domain to enforced DMARC (p=reject) without blocking legitimate mail — every sender verified, a staged rollout, and the proof your insurer and auditors now require.

From $2,500

Fixed scope, clear deliverables

p=reject in 30 days

Staged, monitored rollout

Enforcement evidence pack

For insurers & auditors

Book a scoping call Run a free DMARC check

2 sprint slots open per month. If this month is full, we'll confirm next availability on the call.

What you get from the sprint

Built for teams stuck at p=none: enforced DMARC without lost mail, and the proof your insurer wants.

From p=none to p=reject — safely

We take your domain to enforced DMARC without blocking legitimate mail. Every sender is verified first, then policy is tightened in stages while we watch the report data.

Every legitimate sender mapped

Using your live DMARC (RUA) data we inventory every service sending as you — M365, marketing, billing, helpdesk — and fix SPF/DKIM alignment for each before tightening policy.

Insurer/auditor-ready proof

A completion report documenting enforced DMARC, aligned SPF/DKIM, and optional MTA-STS/BIMI — the email-authentication evidence cyber-insurers and auditors increasingly ask for.

Deliverables

Full SPF / DKIM / DMARC audit across all in-scope domains

Complete sender inventory built from your live DMARC (RUA) reports

SPF / DKIM alignment fixed for every legitimate sender

Staged policy rollout: p=none → quarantine → reject, monitored at each step

Hosted MTA-STS + BIMI/VMC setup (optional add-on)

Enforcement completion report + evidence pack for insurers/auditors

90-day Managed DMARC handoff plan so enforcement doesn't drift

Best for

Companies stuck at p=none, nervous that p=reject will block real email

Teams that got a cyber-insurance renewal question requiring enforced DMARC

Senders hit by the Google / Yahoo / Microsoft bulk-sender requirements

Regulated SMBs (healthcare, finance, legal, professional services) needing anti-spoofing proof

Anyone who's been spoofed or had a vendor/BEC impersonation scare

If you just need a DMARC reporting tool to self-serve, that's our DDMARC platform. This sprint is the done-for-you version when you want enforcement handled and proven.

How the 30 days work

You'll always know what we're doing, why we're doing it, and what the impact is.

Access + sender discovery

Days 1–4

Read-only DMARC report access (or we host your DMARC reporting)
Establish current policy + SPF/DKIM alignment baseline
Begin the sender inventory from live RUA data

Audit + alignment plan

Days 5–14

Identify every legitimate sender and its SPF/DKIM status
Flag misaligned / unauthorized senders and lookalike domains
Agree the rollout plan and any per-sender fixes upfront

Fixes + move to quarantine

Days 15–24

Fix SPF limits/flattening and DKIM signing per sender
Move policy none → quarantine and monitor for legitimate-mail impact
Daily async monitoring of report data

Enforce + handoff

Days 25–30

Move policy to p=reject once the data is clean
Optional MTA-STS / BIMI setup
Completion + evidence report delivered
90-day Managed DMARC plan to prevent drift

“A 70-person company had DMARC at p=none for two years, afraid enforcing it would block billing and marketing email. We inventoried 14 sending services, fixed alignment on 5, and moved them to p=reject by Day 28 — with no legitimate mail lost. They cleared their cyber-insurance renewal the same month.”

— Composite case study (anonymized; details representative of a typical enforcement engagement)

Explore our email & DNS security work →

Ready to enforce DMARC — without breaking your email?

Book a 30-minute scoping call and we'll confirm fit, scope, and access approach. If a sprint isn't the right move, we'll tell you directly.

Book a 30-min scoping call Prefer ongoing Managed DMARC?

FAQ

Will moving to p=reject break our email?

No — avoiding that is the entire point of doing it in stages. We don't tighten policy until every legitimate sender is verified and aligned, then move none → quarantine → reject while watching report data at each step. If anything looks off, we hold and fix before continuing.

What does “fixed scope” mean in practice?

Before Day 1 we agree on a written checklist: which domains are in scope, which senders we'll align, and what the rollout milestones are. If we find something outside that scope, we document it — it doesn't become absorbed work or an invoice surprise.

What happens after the 30 days?

Enforcement drifts — new tools start sending as you, records change. Most clients move onto Managed DMARC ($500–1,500/mo) so we monitor, add new senders safely, and keep you at reject with ongoing reporting. If you'd rather run it in-house, the handoff plan is yours.

Do you need access to our DNS?

Read-only DMARC report access is enough to start. For fixes we provide the exact DNS records for your team to apply, or you delegate a subdomain and we host the records. Your call — no full DNS control required.

Is the price realistic?

The Enforcement Sprint starts at $2,500 for a single domain; multi-domain or many-sender environments are scoped on the call. A single successful invoice-fraud (BEC) email typically costs far more than the sprint.

How is this different from a DMARC SaaS tool?

A tool shows you reports — you still have to interpret them and risk flipping to reject yourself. This is done-for-you: a senior engineer takes you to enforced DMARC safely and hands you the proof. We run our own DMARC platform under the hood, so you're not paying for a dashboard you have to operate.