Ramping up to p=reject without breaking real mail
Going from p=none to p=reject in one step will bounce real customer mail. The right ramp is observe, fix gaps, escalate gradually — typically 6-12 weeks for a domain with multiple senders.
TL;DR
- 1 Stay at p=none for at least 14 days, collect aggregate reports, identify every legitimate sender.
- 2 Move to p=quarantine with pct=10, watch for breakage, ramp the pct over weeks.
- 3 Only go to p=reject when 7-day pass rate is above ~98% for two consecutive weeks.
What it does
DMARC enforcement is a one-way ratchet — once you publish p=reject and a major receiver caches it, every misconfigured sender immediately bounces. The ramp protects you from your own ESPs, CRMs, and shadow IT.
The right discipline is data-driven: never escalate without aggregate reports backing the decision. The numbers will surface senders you forgot about (the calendar invites from a long-departed admin's personal Gmail, the legacy CRM sending from a static IP no one re-pointed to your new sender).
How it works
-
1
Week 0-2: publish p=none + rua. Watch aggregate reports. Make a list of every source IP and what claims to send it.
-
2
Week 2-4: fix gaps — add missing senders to SPF, enable DKIM CNAME delegation for every ESP, get pass rate above 95%.
-
3
Week 4: move to p=quarantine pct=10. Watch for support tickets about mail in spam.
-
4
Week 4-8: ramp pct: 10 → 25 → 50 → 100. Each step requires 7 days of stable data.
-
5
Week 8: move to p=reject pct=100. Done — you're now spoof-resistant.
Common pitfalls
-
Jumping from p=none directly to p=reject. Guarantees bouncing real mail.
-
Setting pct=10 once and forgetting to ramp it. A domain stuck at pct=10 indefinitely is 90% unprotected.
-
Not monitoring after p=reject. You still need ongoing rua reports — new ESPs get added, sender IPs change, DKIM keys rotate.
-
Forgetting subdomains. Without sp=, subdomains inherit the parent policy — sometimes that's wrong (e.g. a transactional subdomain that genuinely sends from many places).