Why teams get stuck at p=none
Publishing a DMARC record is easy. Getting to an enforcing policy — p=quarantine or p=reject — is where projects stall, sometimes for years. The fear is rational: tighten the policy too early and you start junking your own invoices, newsletters, or helpdesk replies.
The way through is not courage, it's evidence. You move forward only when your reports show that every legitimate source is authenticated and aligned. Done right, the day you flip to reject is a non-event.
Before you start
Three things separate a rollout that takes a month from one that drags for a year:
- A reporting address someone actually watches. Aggregate (
rua=) reports are useless landing in an unmonitored inbox. Point them somewhere a person — or a tool — reads regularly. - An inventory of your senders. Before you read a single report, list every system that sends mail as your domain: marketing platform, CRM, helpdesk, billing, payroll, internal apps. The reports will surface the ones you forgot, but starting from a list cuts Stage 2 down sharply.
- Access to your DNS. Every stage is a DNS change. If your records sit with a separate team or registrar, line that access up now so you aren't blocked mid-rollout.
None of this is heavy lifting — it's the groundwork that keeps the project from stalling.
The four stages
Stage 1 — Monitor with p=none
Start in monitoring mode and turn on aggregate reporting:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1
p=none takes no action on failing mail, but receivers still send you daily reports. Leave this running until you have a complete picture of every system sending as your domain — typically two to four weeks. You will almost always discover senders you forgot about: a CRM, a ticketing tool, a payroll provider, a marketing platform.
Stage 2 — Authenticate every legitimate source
For each sender the reports reveal, fix authentication so it passes and aligns:
- Add the source to your SPF record (watch the 10-DNS-lookup limit — flatten or consolidate if you're close).
- Enable DKIM signing on the platform and publish its public key in DNS.
- Make sure the aligned domain matches your visible
From:address.
This is the longest stage and the one that actually buys you protection. Don't rush it. The goal: every legitimate stream shows PASS in your aggregate reports, and the only failures left are genuinely unauthorized.
Stage 3 — Quarantine, ramped with pct
Now move failing mail to spam — but ramp it gradually using the pct tag so only a percentage of failing messages are affected:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com
Start at pct=25, watch reports for a week, then step to 50, 75, and 100. If a legitimate sender you missed surfaces, you'll see it affect only a fraction of mail — and you can fix it before it hits everyone.
Stage 4 — Reject
Once you've held p=quarantine; pct=100 for a week or two with no surprises, move to full enforcement:
v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com
At reject, receivers refuse failing mail outright. Spoofed messages claiming to be your domain never reach the inbox. Note sp=reject — the subdomain policy — which closes the gap attackers love: unused subdomains.
Things that trip people up
- The SPF 10-lookup limit. Every
include:chains more lookups. Exceed ten and SPF returnspermerror, which fails DMARC. Audit and flatten. - Forwarded mail breaks SPF. Mailing lists and forwarders rewrite the path, so SPF fails — but DKIM survives. This is exactly why you need both, and why DKIM alignment matters most.
- Subdomains. A policy on
yourdomain.comdoesn't automatically covermail.yourdomain.com. Setsp=explicitly. - Third-party platforms. Each one needs its own DKIM setup and SPF entry. The reports tell you which are misconfigured.
Make the reports readable
The biggest reason rollouts stall isn't policy — it's that aggregate reports arrive as compressed XML, one file per receiver per day, from dozens of sources. Nobody can eyeball that. Teams publish p=none, the XML piles up unread, and the project quietly dies at Stage 1.
You have two options. Parse the XML yourself — a real engineering effort once you account for schema quirks, mapping sending IPs to organizations, and tracking trends over time — or point rua= at a service that turns it into a dashboard: who's sending as you, what's passing, and what will break when you tighten the policy. That visibility is the entire point of DMARC monitoring; it's what lets you advance on evidence instead of hope.
How to know you're ready to advance
Don't advance on a calendar — advance on data. Before each step, your aggregate reports should show:
- Every known legitimate source passing and aligned.
- No unexplained
PASSsources you can't account for (could be a forgotten system — or an attacker you're about to start blocking). - A stable, well-understood sending footprint.
If you can't yet read those reports confidently, start with Reading DMARC aggregate reports. And if you're doing this to meet Google and Yahoo's requirements, remember p=none satisfies the rule — but only reject actually protects your brand. Use the DMARC record generator to build a correctly formatted record for each stage.
After reject: don't set and forget
Reaching p=reject is the milestone, not the finish line. Your sending footprint keeps changing — a new marketing tool here, a migrated mail platform there — and each addition needs SPF and DKIM in place before it goes live, or it gets rejected along with the spoofers. Keep the aggregate reports flowing and keep reading them; a quiet report is a healthy one.
Most teams also publish a BIMI record at this point. Once you're enforcing at reject, you've met the precondition to display your logo in supporting inboxes — both a visible trust signal for recipients and a small payoff for the work. Enforcement is a posture you maintain, not a box you tick once. But the hard part — getting there without breaking mail — is behind you the moment your reports go quiet.