spoof

BASIC spoofing mitigation deployment levels NOV 2021 upd aug 22, 2022

SPF $75 (incl. demo* upon completion)
SPF + DMARC $180 2.0 hr (incl. demo* upon completion)
DKIM $225 (2.5 hr nom.)
DKIM + DMARC $270 (3.0 hr nom.)
SPF + DKIM + DMARC $315 (3.5 hr nom.)

disable aggregate reporting; configure SPF record; enable DKIM; DMARC policy=quarantine 100%;
disable Reject (to be done at later phase)
no monitoring (extra)

SPF + DKIM + DMARC + reporting & monitoring & maintenance $500 ~ $5000

low-end if you have in-house IT, covers consulting & strategizing for them
4- / 5- / 6-phased implementation, on-going projects

NOTE: Prices assume that we're acting as your domain registration agent, have [momentary] unfettered access to NS pointing + DNS records (editing), are familiar with your control panel, etc. Any exception encountered, COULD trigger additional fees, at standard consultation rate, to cover the investigation & logistical guidance. Where email is hosted is irrelevant.

Before any of these deployment (1 to 6), there is also mandatory level 0 (zero), consultation, pre-screening, defining, etc. Sometimes, the project terminates† after consultation session, because... that's the most optimal choice.

NOTE: Many organizations would incorporate commercial grade private hosted SMTP service. Changing 1 thing, might trigger another few obligatory changes.

* demo that it's compliant with project specs, not live tutorial (extra), EXCL on-going review, advice, monitoring, maintenance, reaction (to situations), etc.

† OR suspended, pending completion of other newly triggered projects + additional meetings, but implementation deferred

What Is It?

implement things, publish things at your domain, so recipients can reject
comply with recipient company requirements, so you're not rejected by their policy
defensive settings for non-sending domains you own

by definition, any meaningful implementation of DMARC will be phased (4~6)

mitigate ID spoofing, improve your own send deliverability (fail less)
sticky points: mass mailers you use (implicitly?) & your prof org sending on your behalf; roamers using non-standard smtp
not fix all, still can fall thru cracks
impostors can still succeed
creates its own complications & failures

FYI:

This is done PER-DOMAIN. It's common to deploy for just the primary (but not all) domain (just like TLS certificate policy).
This is done to the domain, not to the email hosting plan, and not per-mailbox
Hosting is monthly. Domain name is annual. Certs are annual. This anti-spoofing mitigation is 1-time for implementation (non-recurring).

DEMO & Limitations

successful delivery to your gmail & outlook.com
optional$$$: demo failure as expected, with intentionally misconfigured domain; but those still get thru to "unprotected" recipients
explain anticipation of failing at some unreasonably restrictive sites, and malforming of header, from time to time
covers single authorized server (and associated testing), at the time of deployment