DMARC: from p=none to reject
DMARC tells receivers what to do with mail that fails authentication, and stops others from spoofing your domain. The goal is an enforced p=reject policy — but you get there gradually so you never block your own legitimate mail. Here's the safe path.
How DMARC works
DMARC builds on SPF and DKIM. A message passes DMARC if SPF or DKIM passes and is "aligned" — the authenticated domain matches the domain in the visible From: address. You publish a DMARC record as a TXT record at _dmarc.yourdomain.com, and it carries a policy plus a reporting address.
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
The three policies
p=none— monitor only. Receivers take no action on failing mail but still send you reports. Full visibility, zero risk.p=quarantine— failing mail goes to spam. The usual first enforcement step.p=reject— failing mail is rejected at the SMTP level (the sender gets a 550) and never delivered. The end goal.
The rollout
1. Start at p=none with reporting
Publish p=none with a valid rua= address from day one — without it you have a policy but no visibility. Leave it running and collect aggregate reports (sent about once a day) for a few weeks; industry guidance suggests monitoring for around 90 days on larger domains.
2. Fix every legitimate sender
Use the reports to find all the services that send as your domain — your app, BlacklistGuard, your CRM, your helpdesk, and so on. Make sure each one is authenticated and aligned (SPF and/or DKIM) so it passes DMARC. Don't tighten the policy until your legitimate mail passes — that's what prevents you from blocking yourself.
3. Move to quarantine, gradually
Switch to p=quarantine and use the pct= tag to ramp — it controls the percentage of failing mail the policy applies to (the rest is treated as none). A typical ramp:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com
| Stage | Record |
|---|---|
| Weeks 1–2 | p=quarantine; pct=10 |
| Weeks 3–5 | p=quarantine; pct=25 |
| Weeks 6–8 | p=quarantine; pct=50 |
| then | p=quarantine; pct=100 |
Watch your reports at each step. If a legitimate source starts failing, pause and fix it before continuing.
4. Enforce reject
Once you're at p=quarantine; pct=100 with clean reports and no legitimate mail failing, move to full enforcement:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
Keep the rua= reporting in place permanently — it's how you'll spot new senders or spoofing attempts going forward.
p=reject. If any legitimate source isn't authenticated yet, reject will bounce that mail at the receiver with a 550 and it will never arrive. The whole point of the ramp is to catch those before they hurt.