My domain is being spoofed - customers receive emails from my domain addresses and they are not marked as spam/junk/phishing by recipient email providers. I made sure that those emails don’t originate from my email system. So far some AOL users reported it, but there are others as well.
Whatever forum suggested that a DMARC policy of none is “recommended” is sorely mistaken. A DMARC policy of none is the same as having no DMARC policy and does absolutely nothing to prevent email impersonation.
At a minimum, you need a DMARC policy of quarantine to indicate that you do not want spoofed email to be delivered. Before increasing your DMARC policy, make sure that you are regularly reviewing aggregate DMARC reports. The last thing you want is to send all of your mails to spam because you don’t know that you had an SPF or DKIM problem.
Thanks for sharing the additional details. I was attempting to imply that only you can make the call on whether the time is right to increase your DMARC policy. If you have observed that all of your email is passing DMARC, you should be fine.
No, you don’t need Outlook in your SPF records if Google is your email provider.
An SPF record is essentially a list of IP addresses that are allowed to sent emails from your domain. If Google is your email provider, then your emails will be sent from Google IP addresses, even if you use the Outlook email client.
But you need to keep Zendesk and Mailgun in the record.
Also, have you tried mail-tester to see if DKIM is working?