Webinar Held on the Theme 'DMARC is Not About 'p=reject as the Goal''
Hornetsecurity is hosting a webinar on DMARC operations. Under the theme 'p=reject is not the goal,' the session will explain practical methods for analyzing reports and determining the appropriate policy for one's own company.
📋 Article Processing Timeline
- 📰 Published: May 15, 2026 at 18:00
- 🔍 Collected: May 15, 2026 at 09:32
- 🤖 AI Analyzed: May 15, 2026 at 11:16 (1h 44m after Collected)
Details and registration here
■ DMARC is not 'safe just by implementing it'
DMARC is effective against spoofing, but it's not a matter of 'just putting in a DMARC record and being done.' Risks remain with p=none, and it's not necessarily the goal to raise it to reject—DMARC is a measure that requires 'judgment and operation,' not just 'implementation.' Email sending paths and service usage vary by company and change over time. When conditions like forwarding, external delivery services, commissioned delivery, and multiple domain operations overlap, there's a possibility that even legitimate emails may unexpectedly fail to be delivered. In fact, it's not uncommon for companies to realize later that important notifications and customer support emails are not being delivered as a result of strengthening DMARC. The goal is to avoid the 'side effects of strengthening' where an attempt to enhance anti-spoofing measures ends up impacting business operations.
■ 'reject is not always the right answer,' and judgment stalls
A common pattern after DMARC implementation is that operations stall because companies cannot decide with evidence which of p=none, quarantine, or reject is appropriate for them. Raising it to p=reject all at once as the 'only right answer' raises concerns about the risk of non-delivery of legitimate emails, while conversely, keeping it at p=none out of anxiety limits its effectiveness as an anti-spoofing measure. Furthermore, a setting that was fine yesterday can become a problem today due to forwarding, addition of external services, or changes in delivery paths. DMARC is not a 'set it and forget it' solution; it requires continuous observation and analysis of the situation to decide whether to 'change or maintain' the policy. What's important is not 'p=none for some reason' or 'absolutely p=reject,' but being in a state where you can choose a policy with reason and evidence. However, in reality, many cases exist where DMARC reports are received but cannot be analyzed, making it impossible to prioritize and utilize them as decision-making material. The settings become a mere formality, leading to overlooked risks and postponed judgments.
■ Discerning when to 'change or maintain' through report analysis
This seminar avoids the simplification that 'p=reject is the only right answer' and organizes the thinking process for determining how far you can strengthen DMARC *for your company* based on DMARC reports. We will explain the procedure for deciding on a policy in stages by analyzing reports from a practical perspective, such as who is sending from your domain (legitimate, unauthorized, or possibly misconfigured), how authentication results are distributed, and which transmissions are most likely to directly impact business operations. In environments involving forwarding and external delivery, not only the decision to raise to p=reject but also the decision to deliberately keep it as is can be rational. The important thing is to be in a state where you can choose to 'change or maintain' with evidence, not just 'p=none for no good reason.' DMARC reports are vast and complex, and it is not easy to continuously interpret and use them as decision-making material. This seminar elevates the conversation about DMARC from 'implementation' to 'operation and judgment,' and organizes the perspectives, materials, and procedures for steadily increasing its effectiveness as an anti-spoofing measure while avoiding accidents of non-delivery of legitimate emails, all from a practical viewpoint. This content is also recommended for companies that have already implemented DMARC.
■ Organizers and Co-organizers
Hornetsecurity K.K.
■ Cooperation
Open Source Utilization Institute, Inc.
Majisemi Co., Ltd.
Details and registration here
Majisemi will continue to hold webinars that are 'useful for participants.'
Public materials from past seminars and other currently recruiting seminars can be viewed ▶here.
Majisemi Co., Ltd.
3F Shiodome Building, 1-2-20 Kaigan, Minato-ku, Tokyo 105-0022
Contact: https://majisemi.com/service/contact/
■ DMARC is not 'safe just by implementing it'
DMARC is effective against spoofing, but it's not a matter of 'just putting in a DMARC record and being done.' Risks remain with p=none, and it's not necessarily the goal to raise it to reject—DMARC is a measure that requires 'judgment and operation,' not just 'implementation.' Email sending paths and service usage vary by company and change over time. When conditions like forwarding, external delivery services, commissioned delivery, and multiple domain operations overlap, there's a possibility that even legitimate emails may unexpectedly fail to be delivered. In fact, it's not uncommon for companies to realize later that important notifications and customer support emails are not being delivered as a result of strengthening DMARC. The goal is to avoid the 'side effects of strengthening' where an attempt to enhance anti-spoofing measures ends up impacting business operations.
■ 'reject is not always the right answer,' and judgment stalls
A common pattern after DMARC implementation is that operations stall because companies cannot decide with evidence which of p=none, quarantine, or reject is appropriate for them. Raising it to p=reject all at once as the 'only right answer' raises concerns about the risk of non-delivery of legitimate emails, while conversely, keeping it at p=none out of anxiety limits its effectiveness as an anti-spoofing measure. Furthermore, a setting that was fine yesterday can become a problem today due to forwarding, addition of external services, or changes in delivery paths. DMARC is not a 'set it and forget it' solution; it requires continuous observation and analysis of the situation to decide whether to 'change or maintain' the policy. What's important is not 'p=none for some reason' or 'absolutely p=reject,' but being in a state where you can choose a policy with reason and evidence. However, in reality, many cases exist where DMARC reports are received but cannot be analyzed, making it impossible to prioritize and utilize them as decision-making material. The settings become a mere formality, leading to overlooked risks and postponed judgments.
■ Discerning when to 'change or maintain' through report analysis
This seminar avoids the simplification that 'p=reject is the only right answer' and organizes the thinking process for determining how far you can strengthen DMARC *for your company* based on DMARC reports. We will explain the procedure for deciding on a policy in stages by analyzing reports from a practical perspective, such as who is sending from your domain (legitimate, unauthorized, or possibly misconfigured), how authentication results are distributed, and which transmissions are most likely to directly impact business operations. In environments involving forwarding and external delivery, not only the decision to raise to p=reject but also the decision to deliberately keep it as is can be rational. The important thing is to be in a state where you can choose to 'change or maintain' with evidence, not just 'p=none for no good reason.' DMARC reports are vast and complex, and it is not easy to continuously interpret and use them as decision-making material. This seminar elevates the conversation about DMARC from 'implementation' to 'operation and judgment,' and organizes the perspectives, materials, and procedures for steadily increasing its effectiveness as an anti-spoofing measure while avoiding accidents of non-delivery of legitimate emails, all from a practical viewpoint. This content is also recommended for companies that have already implemented DMARC.
■ Organizers and Co-organizers
Hornetsecurity K.K.
■ Cooperation
Open Source Utilization Institute, Inc.
Majisemi Co., Ltd.
Details and registration here
Majisemi will continue to hold webinars that are 'useful for participants.'
Public materials from past seminars and other currently recruiting seminars can be viewed ▶here.
Majisemi Co., Ltd.
3F Shiodome Building, 1-2-20 Kaigan, Minato-ku, Tokyo 105-0022
Contact: https://majisemi.com/service/contact/