The Road to p=reject — A Phased DMARC Deployment Strategy

Name: DMARC Analyzer Pro
Availability: InStock
Author: DMARC Analyzer Pro

February 3, 2025 · DMARC Analyzer Pro

Moving from p=none to p=reject doesn't have to be scary. Follow this phased approach to enforce DMARC without disrupting your legitimate email.

Reaching `p=reject` is the ultimate goal of any DMARC implementation, but getting there requires patience and careful planning. Jumping straight to reject without understanding your email ecosystem is a recipe for blocking your own legitimate messages.

Phase 1: Discovery (p=none)

Start with a `none` policy and focus exclusively on data collection. Publish your DMARC record with RUA reporting and let it run for at least four to six weeks. During this period, your goal is to build a complete picture of every service and server that sends email using your domain.

You'll discover things you didn't expect. The marketing team signed up for a new email tool without telling IT. A legacy application server is still sending notifications. A partner company is sending emails on your behalf through a shared platform. These discoveries are exactly why the monitoring phase exists.

Phase 2: Remediation

With your report data in hand, work through each legitimate sending source and ensure it's properly authenticated. Add missing services to your SPF record. Set up DKIM signing for every third-party sender that supports it. For services that don't support DKIM, evaluate whether they can be replaced or if alternative solutions exist.

This phase often takes the longest because it involves coordination across departments and with external vendors. Don't rush it — every unresolved legitimate source is a message that will be blocked when you enforce.

Phase 3: Gradual enforcement (p=quarantine with pct)

Once your legitimate sources are authenticated, move to `p=quarantine` with a low `pct` value. The `pct` tag lets you apply your policy to only a percentage of failing messages. Start at `pct=5` and gradually increase it while monitoring your DMARC reports for any unexpected failures.

If failures appear, investigate and remediate before increasing the percentage. This incremental approach gives you a safety net — even if something was missed during the discovery phase, only a small fraction of messages will be affected.

Phase 4: Full quarantine

Once you've reached `pct=100` with `p=quarantine` and your reports show consistently clean results, let it run for another two to four weeks. This builds confidence that your configuration is solid.

Phase 5: Reject

The final step is moving from `quarantine` to `reject`. Again, you can use the `pct` tag to ease into it gradually. At `p=reject` with `pct=100`, receiving servers will actively block any message that fails DMARC authentication — effectively preventing anyone from spoofing your domain.

Ongoing maintenance

Reaching `p=reject` isn't the end of the journey. Your email ecosystem will continue to evolve as new services are added and old ones are retired. Continuous monitoring through DMARC reporting ensures you catch changes before they become problems.