Publishing a DMARC record with p=none is just the starting line. The real protection comes when you reach p=reject — but getting there too fast is one of the most common DMARC mistakes. This guide walks you through the enforcement journey safely.
Jumping straight to
p=reject without monitoring can block legitimate email from third-party services you’ve forgotten about — marketing platforms, CRM tools, ticket systems, invoicing software, and more. Every organisation has “shadow senders” they don’t know about.
The DMARC Enforcement Journey
Phase 1: Monitor with p=none (Weeks 1–4)
Start with a monitoring-only policy. This tells receivers to send you reports but take no action on failing emails:
What to Do During This Phase
- Identify all legitimate senders — Review aggregate reports to find every IP/service sending email as your domain. You’ll likely discover services you forgot about.
- Fix SPF — Add
include:entries for all legitimate senders. See the SPF Record Syntax Guide. - Configure DKIM — Enable DKIM signing with your domain on every sending service. This is the most reliable path to DMARC alignment.
- Fix alignment issues — Ensure either SPF or DKIM aligns with your Header From domain for every sender.
- Wait for at least 2 report cycles — Most reporters send daily. Wait at least 2–4 weeks to capture senders that don’t fire daily (monthly newsletters, quarterly invoices, etc.).
What to Look for in Reports
Before progressing, your aggregate reports should show:
- All known senders passing DMARC
- SPF or DKIM aligned for each sender
- Failure sources are only unknown/suspicious IPs
- No legitimate email in the “fail” category
- Known senders still failing alignment
- High volume of failures from recognisable services
- Recently added a new sending service
- Haven’t collected at least 2 weeks of data
Phase 2: Quarantine with pct= (Weeks 5–8)
Once your reports look clean, move to quarantine — but use the pct tag to do it gradually:
Step 1: Quarantine 10% of failures
Only 10% of failing emails go to spam. The other 90% are still delivered normally. Wait 3–5 days and check reports.
Step 2: Quarantine 25%
Step 3: Quarantine 50%, then 100%
No pct tag = 100%. All failing emails now go to spam.
Quarantined emails end up in the spam folder — your recipients can still find them if something goes wrong. Rejected emails are bounced entirely. Quarantine gives you a safety net to catch any legitimate senders you missed.
Phase 3: Reject (Week 8+)
Once you’ve been at p=quarantine (100%) for at least 2 weeks with clean reports, you’re ready for full enforcement. Again, use pct to ramp gradually:
v=DMARC1; p=reject; pct=25; rua=mailto:your-selector@dmarccloud.com; adkim=r; aspf=r
# Step 2: reject 50%
v=DMARC1; p=reject; pct=50; rua=mailto:your-selector@dmarccloud.com; adkim=r; aspf=r
# Step 3: reject 100% (full protection) 🎯
v=DMARC1; p=reject; rua=mailto:your-selector@dmarccloud.com; adkim=r; aspf=r
Handling Third-Party Senders
The biggest challenge in the enforcement journey is getting third-party services properly authenticated. Here’s a checklist of common senders to audit:
| Category | Examples | What to Configure |
|---|---|---|
| Email marketing | Mailchimp, SendGrid, Campaign Monitor | SPF include + custom DKIM signing domain |
| CRM | Salesforce, HubSpot, Zoho | SPF include + DKIM key setup in CRM settings |
| Support/Ticketing | Zendesk, Freshdesk, Intercom | Custom sending domain + DKIM |
| Accounting/Invoicing | Xero, QuickBooks, FreshBooks | Check if they send as your domain; configure DKIM if so |
| HR/Recruitment | BambooHR, Workday, Greenhouse | SPF include + custom DKIM |
| Transactional | Amazon SES, Postmark, Mailgun | SPF include + custom DKIM + custom return-path |
Don’t Forget Subdomains
Your DMARC record’s sp= tag controls the policy for subdomains. If you don’t set it, subdomains inherit the main domain’s policy.
Reject spoofing of the main domain but only monitor subdomains. Good if you have many subdomains to audit.
Reject spoofing of the main domain AND all subdomains. Best security, but ensure no subdomain sends email without authentication.
Real-World Timeline Example
| Week | DMARC Record | Action |
|---|---|---|
| 1 | p=none | Publish DMARC record, start collecting reports |
| 2 | p=none | Review first reports, identify all sending sources |
| 3 | p=none | Configure SPF + DKIM for discovered senders |
| 4 | p=none | Confirm all legitimate senders are passing DMARC |
| 5 | p=quarantine; pct=10 | Start quarantining 10% of failures |
| 6 | p=quarantine; pct=50 | Increase to 50%, monitor for complaints |
| 7 | p=quarantine | Full quarantine (100%), verify no legitimate mail affected |
| 8 | p=reject; pct=25 | Start rejecting 25% of failures |
| 9 | p=reject; pct=50 | Increase to 50% |
| 10 | p=reject | 🎯 Full enforcement — your domain is protected |
Pre-Enforcement Checklist
Before moving from one phase to the next, confirm:
- ☐ All legitimate senders are identified in aggregate reports
- ☐ SPF record includes all authorised sending services
- ☐ DKIM is configured with your domain for all third-party senders
- ☐ At least one of SPF or DKIM aligns for every legitimate source
- ☐ You’ve monitored for at least 2 full weeks at the current policy level
- ☐ No complaints about missing or spam-foldered legitimate email
- ☐ Subdomain policy (
sp=) is considered - ☐ Team members (IT, marketing, sales) are aware of the change
Ready to create your DMARC record? Use our DMARC Record Generator to build a record with the right policy for your current stage. For a deep dive into every record tag, see DMARC Record Explained.