Browse all topics
All guidesGlossary

DMARC rollout from p=none to p=reject

How to roll out DMARC enforcement progressively — the journey from monitoring to enforced anti-spoofing.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer above SPF and DKIM that tells receiving mail servers what to do when authentication fails. Moving from no DMARC to p=reject is a journey, typically 6–12 months for an organisation with significant email infrastructure.

The DMARC policy stages

Three policy levels:

  • p=none — monitor only. Report-only mode. No enforcement; receivers send DMARC reports but don't act on failures.
  • p=quarantine — send unauthenticated mail to Junk Email / quarantine. Soft enforcement.
  • p=reject — reject unauthenticated mail entirely. Strong enforcement; never delivered.

The journey: start at p=none, gather data, fix issues, progressively move to enforcement.

Pre-rollout

Before publishing a DMARC record:

  1. SPF record must be in place and accurate.
  2. DKIM must be signing all outbound mail from your domain.
  3. Inventory all senders — every system that sends email as your domain (marketing platforms, helpdesk, CRM, internal applications, third-party services).
  4. DMARC reporting endpoint — set up to receive aggregated and forensic reports.

Reporting endpoints typically point to DMARC analyser services (DMARCian, Valimail, Easy DMARC, dmarcanalyzer.com) or a custom mailbox you'll analyse manually. The analyser services are dramatically more efficient.

Publish at p=none

Add a DNS record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.com; fo=1

This says:

  • DMARC version 1.
  • Policy: none (just monitor).
  • Aggregated reports to the specified address.
  • Forensic reporting flag.

Wait 1–2 weeks. Reports start arriving — Gmail, Outlook, Yahoo, and other providers send daily aggregated reports showing sends from your domain and their authentication status.

Analyse the reports

The reports show:

  • Sending IPs / sources for your domain.
  • SPF and DKIM authentication results per source.
  • DMARC alignment — whether the SPF/DKIM-authenticated domain matches the From: header.
  • Volume per source.

You'll discover:

  • Legitimate senders failing — typically because SPF doesn't include their IP or DKIM isn't configured.
  • Unknown senders — marketing platform you forgot, shadow IT sending email.
  • Spoofers — bad actors sending fake email from your domain (this is what DMARC is for).

Fix legitimate failures

For each legitimate sender failing DMARC:

  • Add their SPF mechanism to your SPF record (subject to SPF's 10-lookup limit).
  • Configure DKIM signing on their platform — usually a vendor configuration.
  • Update DMARC alignment if the sender uses a subdomain.

This is where the multi-month timeline comes from — coordinating with each sending team to fix their setup.

Move to p=quarantine

Once legitimate senders are reliably passing:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourcompany.com

pct=25 says "apply this policy to 25% of failures" — partial enforcement during transition. Increase to 50, 75, 100 over weeks. Monitor reports for impact.

Quarantine sends failing mail to Junk Email. Recipients receive it but it's flagged.

Move to p=reject

Final state:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourcompany.com

Failing mail is rejected — never delivered. Strongest anti-spoofing protection.

By this point, all legitimate senders should be authenticated, so reject only affects actual spoofing attempts.

Subdomain policy

DMARC supports separate policy for subdomains via sp=:

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-reports@yourcompany.com

Without sp=, subdomains inherit the main policy. For specific subdomain control (e.g., marketing.yourdomain.com with different posture), use a separate subdomain DMARC record.

Modern requirements

In 2024, Gmail and Yahoo introduced bulk-sender requirements mandating DMARC for senders sending more than 5,000 messages a day to their users. Without DMARC, these senders get throttled or blocked. This has accelerated DMARC adoption significantly.

BIMI

Once you're at p=quarantine or p=reject, you qualify for BIMI — Brand Indicators for Message Identification — displaying your brand logo next to email in supported clients. A nice reward for completing the DMARC journey.

Operational considerations

  • DMARC analyser service is worth the cost for non-trivial volumes.
  • Quarterly review of DMARC reports — new senders appear; old senders change configurations.
  • Document the sending sources for future operations.
  • Reporting endpoint resilience — if the endpoint goes down, you lose reports temporarily.

For organisations with significant email infrastructure, the DMARC journey is one of those investments that's invisible when complete and obviously broken when not. Start at p=none, finish at p=reject, take the time needed — done well, it's permanent.