How to get to p=reject without breaking email

Most domains publish a DMARC record, set it to p=none, and never move again. But monitoring forever protects no one: spoofed mail still reaches inboxes, because p=none tells receivers to do nothing on failure. The real goal is p=reject, where forged mail in your name is refused outright. Getting there without blocking your own legitimate mail isn't about courage — it's about method. This guide lays out that method, step by step.

If DMARC itself is new to you, start with what is DMARC; if the SPF/DKIM/alignment relationship is fuzzy, read how the three work together first. Everything below assumes those basics.

Why domains stall at p=none

The reason is fear, and it's rational. Organizations send mail from far more places than they realize — the marketing platform, the CRM, the billing system, the help desk, the HR tool, and that one app a team set up two years ago without telling IT. Tighten the policy before each of those is authenticated and aligned, and you risk sending your own invoices and password resets to spam. So the record sits at p=none indefinitely, monitoring while spoofers operate freely. The way out is to replace fear with data — which is exactly what the reports give you.

Step 1: Publish p=none and collect reports

Start in observation mode. Publish a DMARC record with p=none and a rua= address so receivers send you daily aggregate reports. Nothing about your mail flow changes; you simply start seeing who sends in your name. Let reports accumulate for a few weeks so you capture monthly senders (invoicing, statements) as well as daily ones. Learning to read those reports pays off immediately — see reading DMARC aggregate reports.

Step 2: Inventory every legitimate sender

The aggregate reports reveal every IP sending as your domain. Your job is to turn that list of addresses into a list of services: "that high-volume IP passing DKIM is our email platform; the one failing both is the CRM; this other one is a survey tool marketing forgot about." This inventory is the whole game — you cannot safely enforce a policy until you know, with confidence, who legitimately sends for you. Expect surprises; there are always a few sources nobody remembered.

Step 3: Align each legitimate source

For every legitimate sender, make sure it not only passes SPF or DKIM but aligns with your From: domain. In practice that usually means setting up DKIM signing with a branded domain (d=your-domain.com) on each platform, because third-party senders rarely align SPF. Work through the list until every real source shows an aligned pass in the reports. This is the bulk of the effort, and it's where most of the calendar time goes.

Step 4: Move to quarantine

When the reports show your legitimate sources all aligned, raise the policy to p=quarantine. Unauthenticated mail now goes to spam rather than the inbox — a real defense, but a reversible one if something slipped through. Historically, you'd stage this with the pct tag (pct=25, then 50, then 100) to apply the policy to a growing fraction of failing mail. DMARCbis (2026) removes pct in favor of a binary testing mode (the t=y tag) and a ramp driven by report observation rather than a percentage. In practice today: if your tooling and receivers still honor pct, you can use it through the transition; otherwise, move in short steps — a few days at quarantine, watching the reports — before going to reject.

Step 5: Move to reject

When quarantine runs clean — the only failing sources left are ones you don't recognize, i.e. spoofers — raise the policy to p=reject. Forged mail in your name is now refused at the door. Set your subdomain policy (sp) to match, so attackers can't simply pivot to a subdomain. You've reached enforcement.

DMARCbis: what changes for your policy ramp

Published in May 2026 (RFC 9989/9990/9991), DMARCbis modernizes the standard without making this path obsolete — the none → quarantine → reject sequence is still exactly right. Two new things are worth your attention during the ramp:

• The np tag. It sets the policy for non-existent subdomains — a classic spoofing target, because an attacker can forge invoice.your-domain.com even if that subdomain doesn't exist. It's a fast, zero-risk win: set np=reject early, as soon as your root is healthy, since no legitimate mail comes from subdomains that don't exist.
• pct → t and the DNS Tree Walk. pct is gone (see Step 4) and organizational-domain discovery no longer depends on the Public Suffix List but on a sequence of DNS queries (up to eight). Nothing to redo in your progression: your record stays valid — it's just a good moment to drop a now-useless pct.

How long does it take?

For a small domain with one or two senders, days. For a large organization with dozens of platforms across business units and regions, a few months is normal — most of it spent on Step 3, aligning sources, not on flipping the policy. The pace is set by how quickly you can get each platform configured, not by DMARC itself.

How to know you're ready to tighten

You don't have to guess the right moment; the reports tell you. Three concrete signals before you move up a rung:

• All your known legitimate sources show an aligned pass across several days of reports — not once by chance, but steadily.
• The only failing rows left are IPs you don't recognize, at low volume or in isolated spikes: the profile of a spoofer or a forwarder, not a business service.
• No monthly sender is missing. Billing, statements, quarterly campaigns: wait until you've seen at least one full cycle before concluding your inventory is complete.

If all three boxes are ticked, the next step is safe. If not, stay where you are and fix the missing source first — tightening on an incomplete inventory is exactly what breaks legitimate mail. With DMARCbis, you can also set np=reject for non-existent subdomains right away, since no real mail comes from them — one less thing to wait on.

Common pitfalls on the way

• Tightening too early. The single most common way to break mail. Let the reports prove a source is aligned before you enforce against it.
• Forgetting the envelope vs header distinction. A source can pass raw SPF yet fail DMARC because it isn't aligned. Always read alignment, not just pass/fail.
• Leaving subdomains open. Enforce on the root but forget sp, and spoofers move to mail.your-domain.com.
• Stopping at quarantine. It's progress, but spoofed mail still reaches the spam folder where some users dig it out. reject is the goal.

Why p=reject is worth the effort

Reaching enforcement is a real project, so it's fair to ask what it buys you beyond ticking a compliance box. Quite a lot, as it turns out:

• Spoofing actually stops. This is the headline. At p=reject, a forged email using your exact domain in the From: is refused by receivers before it ever reaches a customer. Phishing that impersonates you simply stops being deliverable — not filtered, not flagged, but rejected outright.
• Better deliverability for your real mail. Mailbox providers trust enforcing domains more. A domain at p=reject with clean alignment is a strong positive reputation signal, and your legitimate campaigns and transactional messages benefit from it every day.
• Compliance, handled. Enforced DMARC satisfies the Gmail and Yahoo sender requirements with room to spare, and stands as a clear, auditable control to point to for frameworks like NIS2 and DORA.
• The logo opportunity. Only enforcing domains can publish BIMI and display a verified logo in the inbox — a visible trust mark and a brand asset you cannot unlock any other way.
• Peace of mind that lasts. Once you're at reject with monitoring still in place, any new unauthorized sender shows up in your reports instead of in your customers' inboxes. The hard part is the climb; staying there is mostly watching the reports stay clean.

Set against the cost of a single successful impersonation — fraud losses, support overload, lasting brand damage — the few weeks of alignment work pay for themselves quickly. The real mistake was never the effort of the climb; it's stopping at p=none and mistaking monitoring for protection.

Let Thomas do the heavy lifting

That sequence is exactly what Thomas, your virtual CISO, automates. He ingests your reports, names every sending source, generates the precise DNS to paste (DMARCbis tags included), scores your readiness on rolling data, and tells you the exact moment each step is safe — from p=none all the way to p=reject, without breaking a single legitimate email.

Analyze your domain free → or create an account to get started. Curious how whole sectors are doing? Browse the DMARC Observatory — it shows in black and white how many domains stall halfway, at p=none.