EUV Technologies

Rejections are good. But knowing who’s getting rejected...? That’s where the value is...

Mark Wrighton
Jul 19, 2025By Mark Wrighton

There’s a curious thing about modern life: We trust several fallacies believing they’ll protect us. We think airbags will save us from a 90mph crash, we assume “organic” means it won’t harm us if we eat too much and in the curious world of cyber security, there are people who believe that simply setting their DMARC policy to p=reject is enough.
 
And to that I say: Are you mad…?
 
Let me explain using something we all might understand. Cars.
 
You see, setting DMARC to p=reject and then walking away is like buying a Ferrari, locking the doors, and leaving it an overtly questionable car park for three days without a care in the world. Yes, it’s locked, but you’re also not watching it. You’ve assumed the lock is enough and the car is safe. Sadly, it doesn’t work that way…and neither does email.
 
Because just like that Ferrari in a dodgy car park, your email domain is a target and there are people, let’s call them gremlins with laptops, who are trying to use your domain to send phishing scams, ransomware, and promotional links to unsuspecting recipients that know you, trust you and are likely to oblige.
 
You might think: “Well, DMARC will stop them”, and yes it might. If you’ve set it up correctly! If SPF and DKIM are aligned and if your email infrastructure isn’t a baroque collection of half-patched relays and legacy systems that still believe Windows XP is the future. But even if you have done it right, you’re still missing the point.
 
The real power of DMARC isn’t just the p=reject line, it’s the reporting. That boring (to some) XML data people ignore like unread terms and conditions.
 
Those reports tell you who’s trying to spoof your domain. They show you where the email’s coming from, who’s failing SPF or DKIM and importantly, what shouldn’t be happening but sadly is. Think of it like this, if someone tried to walk into your office wearing a badge with your face on it, you’d probably want to know about it.
 
These reports are additive, and they make your broader cyber security monitoring stronger. They give you patterns, repeat offenders, geographies of interest, timing, and once you start mapping these attempts across your other logs (think firewalls, endpoint detection, login anomalies etc) you start to see things. A pattern. A persistent nuisance in an unrecognised place trying to ruin your day.
 
DMARC reports also tell you where your own system isn’t working. They reveal legitimate senders on your behalf that are failing authentication. They reveal third-party solutions you forgot about (that old marketing platform from 2017). 
 
And let’s not forget email is still the number one method for attacks. It's not new, it's not cutting-edge, but it's how the vast majority of businesses are compromised. 
 
Set up p=reject, 1000%. That’s the easy bit. The checkbox and the bit you write down in your compliance audit. But just as importantly, keep watching those reports. Feed them into your dashboards, correlate them with your other data. Get alerts, look for anomalies and build your picture. 
 
Once you do, you’re no longer just someone who’s set a policy, you’re the guardian at the gate and a substantial one at that. 
 
In today’s world that’s the difference between “We dodged the bullet” and “We’re on the news at 10”.