DMARC at p=reject is the floor, not the ceiling. A Texas IT team's guide to DKIM key hygiene, ARC for forwarded mail, and BIMI brand-verified inboxes.
Your DMARC record is at p=reject, and you think email security is a solved problem. It isn't. DMARC tells receiving servers what to do when a message fails authentication, but it says nothing about mailing lists that break your signatures, forwarded messages that lose their alignment, or the blue verified checkmark that makes a phishing lookalike stand out from your legitimate brand. In 2026, the gap between "we have DMARC" and "our email is actually trustworthy" is exactly where attackers and deliverability problems live.
This guide walks Texas IT teams through the layers that sit above and around DMARC: DKIM key hygiene, ARC for forwarded and mailing-list traffic, and BIMI for brand-verified inboxes. If you run email for a Houston law firm, a Dallas distributor, or an Austin SaaS company, these are the controls that separate a mailbox that lands in the inbox from one that lands in spam — or worse, one that gets spoofed.
DMARC is not an authentication method. It is a policy layer that builds on two older mechanisms and adds one crucial concept:
sendgrid.net means nothing if your From: says @yourfirm.com and the two don't align.A message passes DMARC if either SPF or DKIM passes and aligns. This "or" is why DKIM matters so much: SPF breaks the moment a message is forwarded, because the forwarding server becomes the new envelope sender. DKIM survives forwarding — as long as nothing rewrites the body or the signed headers.
Most organizations enable DKIM once, during Microsoft 365 or Google Workspace setup, and never touch it again. That is a mistake on two fronts.
DKIM keys should be 2048-bit RSA, not the 1024-bit default some older tenants still carry. Microsoft 365 now provisions 2048-bit keys, but tenants provisioned years ago may still be on 1024-bit — check and rotate. Keys should also be rotated periodically (quarterly to semi-annually is a reasonable cadence for most SMBs), because a leaked or brute-forced private key lets an attacker sign mail as you indefinitely.
DKIM uses selectors (like selector1._domainkey.yourdomain.com) so a domain can host multiple keys — one per sending service. Every third-party sender (your CRM, your invoicing platform, your marketing tool) needs its own selector and its own published key. When you add a new SaaS tool that sends on your behalf and skip the DKIM setup, that mail will fail alignment and land in spam or trip your own DMARC reject policy. Maintaining an accurate inventory of who sends mail for you is the same discipline we cover in our guide to managing SaaS-to-SaaS integration sprawl.
Here is the scenario that breaks DMARC even when you've done everything right. A client sends mail to your firm's shared mailbox, which auto-forwards to three partners. Or a member posts to your industry mailing list, which appends a footer and re-sends to 400 subscribers. In both cases, the intermediary modifies the message — breaking the DKIM signature — and becomes the new sender, breaking SPF. A strict DMARC policy at the final destination then rejects legitimate mail.
ARC (Authenticated Received Chain) solves this. It lets each intermediary cryptographically record the authentication results it observed before it modified the message, then sign that attestation. The final receiver can see: "This message failed SPF and DKIM at my door, but a mail server I trust vouches that it passed authentication when it received the message." The receiver can then choose to honor that chain rather than blindly rejecting.
BIMI (Brand Indicators for Message Identification) is the payoff for getting everything else right. Once your domain is at DMARC p=quarantine or p=reject, BIMI lets you publish your logo in DNS so participating inboxes (Gmail, Apple Mail, Yahoo, Fastmail) display it next to your messages. For a brand your customers see in a crowded inbox, that logo is both a trust signal and an anti-phishing measure — a spoofed lookalike domain cannot display your verified mark.
quarantine or reject — not p=none. This is deliberate: the logo is a reward for actually protecting your domain.default._bimi DNS record.BIMI is optional, but for any organization that does customer-facing email at volume — retailers, professional services, healthcare practices — it converts your backend authentication work into a front-of-inbox trust asset.
The single biggest mistake is jumping to p=reject without first collecting and reading aggregate (RUA) reports. Publish p=none with a rua= mailbox, let reports accumulate for two to four weeks, and use a report parser to answer one question: which legitimate senders are failing alignment? Every one you find is a shadow-IT sender, a forgotten marketing tool, or a misconfigured relay that would have started bouncing the day you enforced. Only after that inventory is clean should you move to quarantine, then reject.
Strong email authentication does not stop a user from clicking a link in a message that is properly authenticated from a domain the attacker actually registered. It stops spoofing of your own domain — which is a specific and important threat, especially for business email compromise and invoice fraud. Pair it with the human and technical layers we cover in AI-powered phishing defense and deepfake fraud defense for finance teams. Authentication, inbound filtering, and user training are three legs of the same stool.
Run this checklist in order:
rua= address.p=none and inventory every sender.p=quarantine, then p=reject.If email is business-critical and you don't have the DNS and mail-flow expertise in-house, our managed IT services team runs this end to end — including the reporting cadence and third-party sender inventory that makes enforcement safe. You can also book a free IT assessment to get a read on your current authentication posture.
LayerLogix delivers email security and managed IT across Texas, including Houston, Dallas, Austin, San Antonio, and Fort Worth. Wherever your team sends mail from, we make sure it lands where it should — and that no one can send it in your name.
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.