Publishing a DMARC record with p=none is just the starting line — it tells you what’s happening, but it doesn’t stop the fakes. The real protection comes when you reach p=reject, where forged emails are blocked outright. But rushing there is one of the most common mistakes people make. This guide walks you through the journey safely.
Jumping to
p=reject without monitoring first can block real email from third-party services you’ve forgotten about — your marketing platform, CRM, support tickets, invoicing software, and more. Every business has “hidden senders” they don’t realise are sending email on their behalf.
The Road to Full Protection
Phase 1: Watch and Learn — p=none (Weeks 1–4)
Start with a “monitor only” rule. This tells email providers around the world to send you reports about emails that use your domain — but not to take any action. No email is blocked, no email goes to spam. You’re just watching:
What to Do During This Phase
- Find all your real senders — Review your reports to discover every server and service that’s sending email using your domain. You’ll almost certainly find services you forgot about.
- Update your authorised sender list (SPF) — Make sure every legitimate service is included in your SPF record.
- Set up digital signatures (DKIM) — Turn on DKIM signing with your domain in every sending service. This is the most reliable way to pass DMARC’s matching checks (called “alignment”).
- Fix any matching problems — Make sure each legitimate sender’s emails match your domain in at least one way (SPF or DKIM).
- Wait at least 2–4 weeks — Some senders don’t send every day. Monthly newsletters, quarterly invoices, and seasonal campaigns need time to show up in reports.
How to Know You’re Ready to Move On
Before moving to the next phase, your reports should show:
- All your known senders are passing
- Each sender passes either SPF or DKIM (and it matches your domain)
- The only failures are from unknown or suspicious servers
- No real email showing up in the “fail” list
- Known services are still failing
- You see familiar company names in the failure reports
- You recently started using a new email service
- You haven’t been monitoring for at least 2 weeks
Phase 2: Send Fakes to Spam — p=quarantine (Weeks 5–8)
Once your reports look clean, it’s time to start taking action. “Quarantine” means emails that fail your checks get sent to the spam folder instead of the inbox. But don’t do it all at once — ramp up gradually using the pct (percentage) setting:
Step 1: Spam only 10% of failures
Only 10% of failing emails go to spam. The other 90% are still delivered normally. Wait 3–5 days and check your reports.
Step 2: Increase to 25%
Step 3: Increase to 50%, then 100%
When there’s no pct setting, it applies to 100% of failing emails.
Emails sent to spam can still be found by your recipients if something goes wrong — they can check their junk folder. Blocked emails are bounced completely and never arrive. Think of quarantine as a safety net: you’re catching the fakes, but if you accidentally catch a real email, it’s still recoverable.
Phase 3: Block the Fakes — p=reject (Week 8+)
Once you’ve been at full quarantine for at least 2 weeks with clean reports and no complaints about missing email, you’re ready for the final step: outright blocking. Again, ramp up gradually:
v=DMARC1; p=reject; pct=25; rua=mailto:your-selector@dmarccloud.com; adkim=r; aspf=r
# Step 2: Block 50%
v=DMARC1; p=reject; pct=50; rua=mailto:your-selector@dmarccloud.com; adkim=r; aspf=r
# Step 3: Block 100% — full protection 🎯
v=DMARC1; p=reject; rua=mailto:your-selector@dmarccloud.com; adkim=r; aspf=r
Getting Your Third-Party Services in Order
The biggest challenge on this journey is making sure all the services that send email on your behalf are properly set up. Here’s a checklist of common ones to look at:
| Type of Service | Examples | What to Set Up |
|---|---|---|
| Email marketing | Mailchimp, SendGrid, Campaign Monitor | Add to your sender list (SPF) + set up digital signatures (DKIM) with your domain |
| CRM | Salesforce, HubSpot, Zoho | Add to sender list + configure DKIM in CRM settings |
| Support / Help desk | Zendesk, Freshdesk, Intercom | Set up a custom sending domain + DKIM |
| Accounting / Invoicing | Xero, QuickBooks, FreshBooks | Check if they send as your domain — if so, configure DKIM |
| HR / Recruitment | BambooHR, Workday, Greenhouse | Add to sender list + DKIM |
| Automated / system emails | Amazon SES, Postmark, Mailgun | Add to sender list + DKIM + configure the “bounce address” to use your domain |
Don’t Forget About Subdomains
Your DMARC record has a subdomain setting (sp=) that controls what happens with email from subdomains like marketing.yourdomain.com or support.yourdomain.com. If you don’t set it, subdomains follow the same rule as your main domain.
Block fakes for your main domain but only monitor subdomains. Good if you have lots of subdomains that need auditing.
Block fakes for your main domain AND all subdomains. Best security, but make sure no subdomain sends email without proper setup.
Example Timeline: What This Looks Like in Practice
| Week | DMARC Setting | What You’re Doing |
|---|---|---|
| 1 | p=none | Publish your DMARC record, start collecting reports |
| 2 | p=none | Review your first reports, discover all the services sending email as you |
| 3 | p=none | Set up SPF and DKIM for every legitimate sender you’ve found |
| 4 | p=none | Confirm all legitimate senders are now passing in your reports |
| 5 | p=quarantine; pct=10 | Start sending 10% of fake emails to spam |
| 6 | p=quarantine; pct=50 | Increase to 50% — check that nobody’s complaining about missing email |
| 7 | p=quarantine | Full quarantine (100%) — all fakes go to spam. Confirm no real email is affected |
| 8 | p=reject; pct=25 | Start blocking 25% of fakes outright |
| 9 | p=reject; pct=50 | Increase to 50% |
| 10 | p=reject | 🎯 Full protection — your domain is defended. Fake emails are blocked. |
Before You Move to the Next Phase — Checklist
Before tightening your policy at each stage, make sure:
- ☐ All your legitimate senders show up as “passing” in your reports
- ☐ Your authorised sender list (SPF) includes every service that sends email as your domain
- ☐ Digital signatures (DKIM) are set up with your domain on every third-party service
- ☐ Each legitimate sender passes at least one check (SPF or DKIM) that matches your domain
- ☐ You’ve been monitoring at the current level for at least 2 full weeks
- ☐ Nobody has reported missing email or email going to spam unexpectedly
- ☐ You’ve thought about your subdomain rule (
sp=) - ☐ Your team (IT, marketing, sales) know the change is coming
Ready to create or update your DMARC record? Use our DMARC Record Generator to build a record that matches your current stage. For a detailed breakdown of every setting, see DMARC Record Explained.