Policy Progression
DMARC only protects your domain once you enforce it. This guide covers the safe path from monitoring to full rejection - and how to use report data so you never block your own mail.
The Three Policies
The p= tag in your DMARC record tells receiving servers what to do with messages that fail DMARC:
p=none- take no action; deliver normally and just send reports. Pure monitoring.p=quarantine- treat failing mail as suspicious; most receivers route it to the spam or junk folder.p=reject- refuse failing mail outright at the SMTP level. It never reaches the recipient.
At p=none your domain gains visibility but no protection - spoofed mail still lands in inboxes. The goal of every DMARC deployment is to reach p=reject safely. Most organizations get there in 4 to 12 weeks.
Phase 1: Monitor at p=none
Stay at p=none until you have a complete, clean picture of your sending ecosystem:
- Collect at least 2 to 4 weeks of reports - long enough to capture monthly newsletters, billing runs, and other periodic senders
- Identify every legitimate sending source in your dashboard and confirm ownership with the relevant teams
- Fix authentication for each one: add to SPF, enable custom DKIM, or both
- Watch the DMARC pass rate for legitimate sources climb toward 100 percent
The single biggest mistake in DMARC deployment is tightening the policy before low-frequency senders have appeared in reports. Patience here is what makes enforcement painless.
Readiness Checklist Before Tightening
Move forward only when all of these are true:
- Every known legitimate source passes DMARC (SPF or DKIM passing with alignment) at or near 100 percent
- No new legitimate sources have appeared in reports for at least two weeks
- Remaining failures are confirmed spoofing or expected forwarding losses, not your own mail
- Stakeholders who own email-sending tools (marketing, sales ops, support) have signed off on the source inventory
A small residual failure rate from forwarding is normal and acceptable - forwarded mail often breaks SPF, and mailing lists can break DKIM. Do not wait for a literal 100 percent overall pass rate that spoofers will prevent you from ever reaching.
Phase 2: Quarantine with a Gradual pct Rollout
The pct= tag applies your policy to only a percentage of failing messages, which makes a staged rollout possible:
- Start with
v=DMARC1; p=quarantine; pct=10; rua=...- only 10 percent of failing mail is quarantined - Watch reports for a week; if no legitimate mail is being caught, step up:
pct=25, thenpct=50, thenpct=100 - If legitimate mail starts failing, drop back to
p=noneor a lowerpct, fix the source, and resume
Messages not selected by pct at quarantine are treated as p=none, so the rollout degrades gracefully. Run at p=quarantine; pct=100 for at least a few weeks before considering reject.
Phase 3: Move to Reject
p=reject is the destination - spoofed mail is refused outright and your domain is genuinely protected:
- Confirm quarantine at full percentage produced no reports of missing legitimate mail
- Update the record to
v=DMARC1; p=reject; rua=... - Consider the subdomain policy:
sp=rejectensures subdomains you never send from cannot be spoofed either - Monitor closely for the first two weeks after the change
Unlike quarantine, rejected mail generates an immediate bounce to the sender, so a legitimate sender that was missed will usually surface quickly - another reason the quarantine phase matters.
Enforcement Is Not the Finish Line
Email infrastructure changes constantly, so keep monitoring after you reach p=reject:
- New tools and vendors start sending as your domain without telling IT - reports catch them before users notice bounces
- Vendors rotate IPs and DKIM keys; alignment can drift silently
- DMARCsimple alerts you when a new source appears or a known source starts failing
Review Reading Reports for the weekly routine, and see Troubleshooting if a legitimate sender breaks after enforcement.