You reached p=reject, yet staff and customers still receive convincing spoofed emails “from” your brand. It looks like DMARC failed.
DMARC did its job — it only protects the exact domain in the visible From: address, and only against direct spoofing of that domain. It does nothing about (a) display-name spoofing, where the friendly name reads “CEO Name” but the address is attacker@gmail.com, and (b) cousin / lookalike domains (yourbrand-support.com, yourbránd.com) that the attacker controls and can even DMARC-authenticate themselves. Per dmarc.org's own FAQ, DMARC validates the RFC5322.From domain, not the display name: exact-domain spoofing is a technical problem DMARC solves, while lookalikes and display-name tricks need monitoring, training and process. Source: dmarc.org FAQ · verified 2026-07-15
p=reject: it's what forced attackers off your real domain onto these noisier, more detectable tricks.DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.
Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.
Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.