DMARC From p=none to p=reject, Safely

DMARC ties SPF and DKIM together and tells receiving servers what to do with mail that fails both: monitor it (none), send it to spam (quarantine), or refuse it (reject). Since 2024, the major mailbox providers require bulk senders to have DMARC at all, and a domain sitting at p=none forever gets little of DMARC's protection against spoofing. But jumping straight to p=reject is how companies accidentally block their own invoices. The safe path is a gradual one, and it looks like this.

Phase 1: Publish p=none and start collecting reports

Begin with a monitoring-only record. At your DNS host (on Porkbun: Domain Management, then DNS; on Cloudflare: the DNS tab), add a TXT record with the host _dmarc and a value like: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com.

The p=none part means receivers change nothing about delivery. The rua part is the important bit: it asks every major receiver to send you daily aggregate reports listing which servers sent mail as your domain and whether that mail passed SPF and DKIM. Nothing breaks at this stage, you are only turning the lights on. Prerequisite check: make sure SPF and DKIM are already set up first, because DMARC evaluates them and cannot pass without at least one of them.

Phase 2: Read the reports and fix every legitimate failure

Let reports accumulate for two to four weeks, longer if you send monthly newsletters or seasonal campaigns that need a full cycle to show up. The raw reports are XML files, which are unpleasant to read by hand, so a free DMARC report viewer is worth using here.

You are looking for one thing: legitimate mail that fails. Common finds include a newsletter tool that was never added to SPF, an old billing system signing with an expired DKIM key, or a regional office sending through a relay nobody documented. For each real sender you find, fix its SPF include or its DKIM record until the reports show it passing. Anything left failing after that is either forwarded mail (which often breaks SPF and is normal) or someone spoofing your domain, which is exactly what the next phases will shut down.

Phase 3: Tighten to quarantine, gradually

Once reports show your legitimate mail passing consistently, edit the record to: v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com. Quarantine means failing mail goes to spam rather than being refused, and pct=25 applies the policy to only a quarter of failing messages, a built-in safety valve.

Hold for a week or two, keep reading reports, and confirm nothing legitimate started landing in spam. Then raise pct in steps, 50, then 100, watching reports at each step. If something real breaks, drop the percentage back down, fix the sender, and resume. This staged ramp is the whole trick: you get enforcement benefits early while keeping any mistake small and reversible.

Phase 4: Move to p=reject and keep watching

When quarantine at pct=100 has run cleanly for a few weeks, make the final change: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com. Now mail that fails DMARC is refused outright, and spoofing your domain stops working, which protects both your customers and your sender reputation.

Do not delete the rua address afterward. Reports remain your early warning system when someone adds a new sending tool next year and forgets the DNS work. A quick way to confirm where your domain stands today, including whether your DMARC policy is none, quarantine or reject, is Sieve's free grade tool at sievemails.com/grade, which reads your public DNS and grades the whole setup A to F.

Where does your domain stand?

Grade your MX, SPF, DKIM, DMARC and blacklist status A to F in seconds. No signup needed.

Check your domain free

Frequently asked questions

What is the difference between p=none, p=quarantine and p=reject in DMARC?

They are the three actions a receiver takes when a message fails DMARC. p=none delivers the mail normally and only sends you reports, p=quarantine sends failing mail to the spam folder, and p=reject refuses it entirely. Domains typically start at none to gather data, then move through quarantine to reject once legitimate mail reliably passes.

How long should I stay at p=none before enforcing DMARC?

Two to four weeks of report collection is a reasonable minimum, and longer if you have monthly or seasonal sending patterns that need a full cycle to appear in reports. The real gate is not time but evidence: move to quarantine only after your aggregate reports show every legitimate sending source passing SPF or DKIM consistently.

Can DMARC break my email forwarding?

Forwarding often breaks SPF because the forwarding server, not yours, delivers the message. DKIM usually survives forwarding intact, which is why DMARC passes if either check succeeds. Make sure DKIM is set up and passing before you enforce, and most ordinary forwarding will keep working under quarantine and reject.

Keep reading