The DMARC rollout playbook: none to reject without breaking mail

Why teams get stuck at p=none

Publishing a DMARC record is easy. Getting to an enforcing policy — p=quarantine or p=reject — is where projects stall, sometimes for years. The fear is rational: tighten the policy too early and you start junking your own invoices, newsletters, or helpdesk replies.

The way through is not courage, it's evidence. You move forward only when your reports show that every legitimate source is authenticated and aligned. Done right, the day you flip to reject is a non-event.

The four stages

Stage 1 — Monitor with p=none

Start in monitoring mode and turn on aggregate reporting:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1

p=none takes no action on failing mail, but receivers still send you daily reports. Leave this running until you have a complete picture of every system sending as your domain — typically two to four weeks. You will almost always discover senders you forgot about: a CRM, a ticketing tool, a payroll provider, a marketing platform.

Stage 2 — Authenticate every legitimate source

For each sender the reports reveal, fix authentication so it passes and aligns:

• Add the source to your SPF record (watch the 10-DNS-lookup limit — flatten or consolidate if you're close).
• Enable DKIM signing on the platform and publish its public key in DNS.
• Make sure the aligned domain matches your visible From: address.

This is the longest stage and the one that actually buys you protection. Don't rush it. The goal: every legitimate stream shows PASS in your aggregate reports, and the only failures left are genuinely unauthorized.

Stage 3 — Quarantine, ramped with pct

Now move failing mail to spam — but ramp it gradually using the pct tag so only a percentage of failing messages are affected:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com

Start at pct=25, watch reports for a week, then step to 50, 75, and 100. If a legitimate sender you missed surfaces, you'll see it affect only a fraction of mail — and you can fix it before it hits everyone.

Stage 4 — Reject

Once you've held p=quarantine; pct=100 for a week or two with no surprises, move to full enforcement:

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com

At reject, receivers refuse failing mail outright. Spoofed messages claiming to be your domain never reach the inbox. Note sp=reject — the subdomain policy — which closes the gap attackers love: unused subdomains.

Things that trip people up

• The SPF 10-lookup limit. Every include: chains more lookups. Exceed ten and SPF returns permerror, which fails DMARC. Audit and flatten.
• Forwarded mail breaks SPF. Mailing lists and forwarders rewrite the path, so SPF fails — but DKIM survives. This is exactly why you need both, and why DKIM alignment matters most.
• Subdomains. A policy on yourdomain.com doesn't automatically cover mail.yourdomain.com. Set sp= explicitly.
• Third-party platforms. Each one needs its own DKIM setup and SPF entry. The reports tell you which are misconfigured.

How to know you're ready to advance

Don't advance on a calendar — advance on data. Before each step, your aggregate reports should show:

1. Every known legitimate source passing and aligned.
2. No unexplained PASS sources you can't account for (could be a forgotten system — or an attacker you're about to start blocking).
3. A stable, well-understood sending footprint.

If you can't yet read those reports confidently, start with Reading DMARC aggregate reports. And if you're doing this to meet Google and Yahoo's requirements, remember p=none satisfies the rule — but only reject actually protects your brand.