← All guides
Playbook

The DMARC Rollout Playbook

Going from p=none to p=reject safely. The standard escalation path used by every mature email-security program. Skip steps and you risk bouncing legitimate mail; take them in order and the worst case is "some forwarded messages land in spam for a few days."

Estimated time: 3 weeks of elapsed time, 30 minutes of actual work spread across it

Why a Phased Rollout

DMARC has three enforcement levels: p=none (monitor only), p=quarantine (mark non-aligned mail as spam), and p=reject (refuse non-aligned mail outright). The first time you deploy DMARC, you almost never know everything that's sending mail as your domain.

Marketing platforms, CRM tools, transactional email services, calendar invites, mailing lists, and forwards from old aliases are all places where legitimate senders fail SPF or DKIM alignment without anyone noticing. At p=reject, every one of those bounces.

The phased rollout uses two weeks of p=none reports to discover every legitimate sender, then escalates only after you've fixed alignment for each one. Skip the phases and you're guessing.

1 Phase 1: Monitor (week 1, p=none)

Publish a DMARC record at _dmarc.yourdomain.com with policy set to none and a rua reporting mailbox. Receivers start sending you daily aggregate reports of every IP that sends as your domain.

_dmarc.yourdomain.com TXT "v=DMARC1; p=none; pct=100; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1"
Tag breakdown:
  • p=none — receivers report failures but take no action.
  • pct=100 — apply the policy to 100% of mail (only relevant once you escalate).
  • rua — daily aggregate reports. The data you'll use to make decisions.
  • ruf — per-message forensic reports on failures. Useful for the first month while you're tuning, drop it later if volume is high.
  • fo=1 — send a forensic report on every failure (not just SPF+DKIM both failing).

What to do during week 1:

  • Wait at least 24-48 hours for the first reports to arrive. Major receivers (Google, Yahoo, Microsoft) send reports daily; some smaller ones send weekly.
  • In PhishFence, watch the Sending Sources panel on the email-security page. Each row is one IP that's sent mail as your domain, with SPF and DKIM pass/fail.
  • For every legitimate sender that's failing alignment, fix it. Add their IP/include to your SPF record, set up DKIM signing if missing, or request that the vendor sign with your domain.
  • Mark known-good senders as such. Anything still failing after a week is either misconfigured (your problem) or a spoofer (their problem, your monitoring).

2 Phase 2: Quarantine (weeks 2-3, p=quarantine)

After 7+ days of clean rua reports (95%+ pass rate, no surprise senders), escalate to quarantine. Receivers now mark non-aligned mail as spam.

_dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1"
Why quarantine before reject: the worst case at quarantine is "some forwarded mail lands in spam folders." The recipient can still find it, mark it not-spam, and move on. At reject, the same mail is bounced, and the recipient never sees it. Quarantine is the safety net you walk on before you walk on the high wire.

What to do during weeks 2-3:

  • Watch the rua reports for the same data points: pass rate, new senders, alignment failures.
  • Ask anyone who normally sends or forwards mail through your domain to flag if anything they expect is missing. Your CEO's assistant is a good first canary.
  • Check your own spam folder for any legitimate forwards from external services. Common offenders: third-party ticketing (Intercom replies), event registrations, mailing list confirmations.
  • If a legitimate sender is failing, fix it (add SPF include, request DKIM signing) before moving to phase 3.
  • Keep pct=100. The old advice to ramp from pct=10 to pct=100 is overkill for small senders and adds two weeks of elapsed time for marginal gain.

3 Phase 3: Reject (week 4, p=reject)

After 14+ days at quarantine with a 99%+ pass rate and no spam-folder complaints, move to reject. Non-aligned mail is now refused outright.

_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1"
Reject is the hardest step to revert. Mail that fails alignment is bounced. The sender gets a non-delivery report; the recipient never knows the message existed. If a legitimate forwarder breaks at this step, you find out when somebody emails you to ask why their replies stopped working. Move only when the rua reports are bulletproof.

Final criteria before pulling the trigger:

  • 14+ days at p=quarantine with the policy actively enforced.
  • 99%+ DMARC pass rate over the last 14 days.
  • Zero unexpected senders in the rua reports for 7 straight days. ("Unexpected" means an IP you can't explain.)
  • You've reviewed your own spam folder and found nothing legitimate quarantined recently.
  • If your domain handles support email or anything user-facing where lost messages cause real problems, run a final test: send mail from a legitimate-but-edge-case sender and verify it lands.

Common Problems

Forwarded mail is failing

When User A's address forwards to User B at a different provider, the forward is treated as a fresh send from User A's domain. The forwarding server's IP isn't in your SPF record, so SPF fails. DKIM may also fail if the forwarder rewrites the message.

Solutions: ARC (Authenticated Received Chain) trust, where supported by both ends; or accept that forwarded mail will land in spam at quarantine and be bounced at reject. Most large mailbox providers handle ARC; small custom forwarding setups often don't.

Mailing lists are failing

Mailing list software typically rewrites the From: header (so replies go back to the list, not the original sender). DKIM doesn't survive that rewrite, and the list's own SPF doesn't cover your domain. Result: every mailing list post fails DMARC.

Solutions: use list software that supports From: rewriting (most modern ones, e.g. Mailman 3, do this automatically when DMARC is at quarantine or reject). Or if you control the list, configure it to add ARC headers.

Your CRM / marketing tool is failing

SaaS tools that send mail "on your behalf" usually need to be told to sign with your domain. Out of the box, the d= in their DKIM signature is their domain (e.g. d=marketing-tool.com), which fails alignment.

Solution: every reputable platform (Mailchimp, HubSpot, Resend, SendGrid, Customer.io) has a "DKIM your sending domain" setup flow. Find it, follow it, verify the d= is now your domain in the next rua report.

Final Checklist

Before declaring DMARC "done" on a domain:

  • Policy at p=reject with pct=100
  • SPF record published and ending in -all (hard fail), under 10 DNS lookups
  • DKIM configured for every legitimate sending platform, signing with your domain
  • Rua reports flowing into a mailbox you check weekly
  • Optional but strongly recommended: MTA-STS + TLS-RPT for inbound mail; BIMI for outbound brand display

How PhishFence helps with this rollout

Every domain you monitor gets its own email-security dashboard with the Journey strip and Recommended Next Action card. The dashboard tells you exactly when each domain is ready to escalate and gives you the new DNS record to publish, gated on the criteria in this guide. Stop guessing whether the rua data is good enough; the dashboard does the math.

Open the dashboard