How to get to p=reject without breaking email

Most domains publish a DMARC record, set it to p=none, and never move again. But monitoring forever protects no one: spoofed mail still reaches inboxes, because p=none tells receivers to do nothing on failure. The real goal is p=reject, where forged mail in your name is refused outright. Getting there without blocking your own legitimate mail isn't about courage — it's about method. This guide lays out that method, step by step.

If DMARC itself is new to you, start with what is DMARC; if the SPF/DKIM/alignment relationship is fuzzy, read how the three work together first. Everything below assumes those basics.

Why domains stall at p=none

The reason is fear, and it's rational. Organizations send mail from far more places than they realize — the marketing platform, the CRM, the billing system, the help desk, the HR tool, and that one app a team set up two years ago without telling IT. Tighten the policy before each of those is authenticated and aligned, and you risk sending your own invoices and password resets to spam. So the record sits at p=none indefinitely, monitoring while spoofers operate freely. The way out is to replace fear with data — which is exactly what the reports give you.

Step 1: Publish p=none and collect reports

Start in observation mode. Publish a DMARC record with p=none and a rua= address so receivers send you daily aggregate reports. Nothing about your mail flow changes; you simply start seeing who sends in your name. Let reports accumulate for a few weeks so you capture monthly senders (invoicing, statements) as well as daily ones. Learning to read those reports pays off immediately — see reading DMARC aggregate reports.

Step 2: Inventory every legitimate sender

The aggregate reports reveal every IP sending as your domain. Your job is to turn that list of addresses into a list of services: "that high-volume IP passing DKIM is our email platform; the one failing both is the CRM; this other one is a survey tool marketing forgot about." This inventory is the whole game — you cannot safely enforce a policy until you know, with confidence, who legitimately sends for you. Expect surprises; there are always a few sources nobody remembered.

Step 3: Align each legitimate source

For every legitimate sender, make sure it not only passes SPF or DKIM but aligns with your From: domain. In practice that usually means setting up DKIM signing with a branded domain (d=your-domain.com) on each platform, because third-party senders rarely align SPF. Work through the list until every real source shows an aligned pass in the reports. This is the bulk of the effort, and it's where most of the calendar time goes.

Step 4: Move to quarantine

When the reports show your legitimate sources all aligned, raise the policy to p=quarantine. Unauthenticated mail now goes to spam rather than the inbox — a real defense, but a reversible one if something slipped through. You can stage this with the pct tag (for example pct=25, then 50, then 100) to apply the policy to a growing fraction of failing mail while you watch for any legitimate source you missed.

Step 5: Move to reject

When quarantine runs clean — the only failing sources left are ones you don't recognize, i.e. spoofers — raise the policy to p=reject. Forged mail in your name is now refused at the door. Set your subdomain policy (sp) to match, so attackers can't simply pivot to a subdomain. You've reached enforcement.

How long does it take?

For a small domain with one or two senders, days. For a large organization with dozens of platforms across business units and regions, a few months is normal — most of it spent on Step 3, aligning sources, not on flipping the policy. The pace is set by how quickly you can get each platform configured, not by DMARC itself.

Common pitfalls on the way

• Tightening too early. The single most common way to break mail. Let the reports prove a source is aligned before you enforce against it.
• Forgetting the envelope vs header distinction. A source can pass raw SPF yet fail DMARC because it isn't aligned. Always read alignment, not just pass/fail.
• Leaving subdomains open. Enforce on the root but forget sp, and spoofers move to mail.your-domain.com.
• Stopping at quarantine. It's progress, but spoofed mail still reaches the spam folder where some users dig it out. reject is the goal.

Why p=reject is worth the effort

Reaching enforcement is a real project, so it's fair to ask what it buys you beyond ticking a compliance box. Quite a lot, as it turns out:

• Spoofing actually stops. This is the headline. At p=reject, a forged email using your exact domain in the From: is refused by receivers before it ever reaches a customer. Phishing that impersonates you simply stops being deliverable — not filtered, not flagged, but rejected outright.
• Better deliverability for your real mail. Mailbox providers trust enforcing domains more. A domain at p=reject with clean alignment is a strong positive reputation signal, and your legitimate campaigns and transactional messages benefit from it every day.
• Compliance, handled. Enforced DMARC satisfies the Gmail and Yahoo sender requirements with room to spare, and stands as a clear, auditable control to point to for frameworks like NIS2 and DORA.
• The logo opportunity. Only enforcing domains can publish BIMI and display a verified logo in the inbox — a visible trust mark and a brand asset you cannot unlock any other way.
• Peace of mind that lasts. Once you're at reject with monitoring still in place, any new unauthorized sender shows up in your reports instead of in your customers' inboxes. The hard part is the climb; staying there is mostly watching the reports stay clean.

Set against the cost of a single successful impersonation — fraud losses, support overload, lasting brand damage — the few weeks of alignment work pay for themselves quickly. The real mistake was never the effort of the climb; it's stopping at p=none and mistaking monitoring for protection.

Let Marc do the heavy lifting

That sequence is exactly what Marc, the DMARC copilot, automates. He ingests your reports, names every sending source, generates the precise DNS to paste, scores your readiness on rolling data, and tells you the exact moment each step is safe — from p=none all the way to p=reject, without breaking a single legitimate email.

Analyze your domain free → or create an account to get started. Curious how whole sectors are doing? Browse the DMARC Observatory.