Skip to main content
How-to DMARC

Ramping up to p=reject without breaking real mail

Going from p=none to p=reject in one step will bounce real customer mail. The right ramp is observe, fix gaps, escalate gradually. Typically 6-12 weeks for a domain with multiple senders.

TL;DR

  • 1 Stay at p=none for at least 14 days, collect aggregate reports, identify every legitimate sender.
  • 2 Move to p=quarantine, optionally publishing it in test mode (t=y) first so receivers report without enforcing, then drop t=y to enforce. Watch for breakage at each step.
  • 3 Only go to p=reject when every legitimate sender you've identified is aligned and passing (the tool's gate is ~98% of KNOWN-sender mail for two consecutive weeks); the only failures left should be unknown or spoofed sources.

Watch

Move to p=reject in stages (none to quarantine to reject) without blocking your own mail.

What it does

DMARC enforcement is a one-way ratchet. Once you publish p=reject and a major receiver caches it, every misconfigured sender immediately bounces. The ramp protects you from your own ESPs, CRMs, and shadow IT.

The right discipline is data-driven: never escalate without aggregate reports backing the decision. The numbers will surface senders you forgot about (the calendar invites from a long-departed admin's personal Gmail, the legacy CRM sending from a static IP no one re-pointed to your new sender).

How it works

  1. 1

    Week 0-2: publish p=none + rua. Watch aggregate reports. Make a list of every source IP and what claims to send it.

  2. 2

    Week 2-4: fix gaps. Add missing senders to SPF, enable DKIM CNAME delegation for every ESP, get your known senders aligned (about 95% of known-sender mail passing).

  3. 3

    Week 4: publish p=quarantine; t=y. This is DMARCbis test mode: receivers report on the new policy but still deliver normally, so you get a dry run with no risk. Watch the reports for any sender that starts failing.

  4. 4

    Week 5: drop t=y to start enforcing p=quarantine. Watch for support tickets about mail in spam for 7 days of stable data.

  5. 5

    Week 8: move to p=reject. Done. You're now spoof-resistant.

Common pitfalls

  • Jumping from p=none directly to p=reject. Guarantees bouncing real mail.

  • Leaving t=y on and thinking you're fully enforcing. Test mode makes receivers apply the next-lower policy, so a domain at p=reject; t=y is only quarantining, not rejecting. Remove t=y (or set t=n) once reports are clean. The old pct tag that used to ramp enforcement was removed in DMARCbis.

  • Not monitoring after p=reject. You still need ongoing rua reports. New ESPs get added, sender IPs change, DKIM keys rotate.

  • Forgetting subdomains. Without sp=, subdomains inherit the parent policy. Sometimes that's wrong (e.g. a transactional subdomain that genuinely sends from many places).