How do you move from none → reject safely?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Don't jump straight to p=reject. Move in stages and watch your RUA reports at each step. The tool that makes this safe is the pct= tag: it controls what percentage of DMARC-failing messages actually get the policy applied. Use it.

Stage 1: p=none (monitor mode)

p=none means mailbox providers check your mail against DMARC but don't act on failures. You collect data in your RUA reports. Stay here until all your legitimate senders (your ESP, your transactional provider, your CRM) are showing consistent pass results. A few weeks of clean data is worth it.

Stage 2: p=quarantine, starting low

Once your reports look clean, move to:
v=DMARC1; p=quarantine; pct=10; rua=mailto:you@yourdomain.com

That pct=10 means only 10% of DMARC-failing messages go to spam. The other 90% are still delivered as if you're on p=none. Watch the reports for a couple of weeks. If no one's complaining about missing email and authentication looks stable, bump to pct=25, then pct=50, then pct=100.

Stage 3: p=reject, same staged approach

At p=quarantine; pct=100 with clean reports, move to:
v=DMARC1; p=reject; pct=10; rua=mailto:you@yourdomain.com

Reject means mailbox providers drop the message outright. That's what you want for spoofed mail. But if something you forgot to authenticate gets caught, it's gone. Same staged approach: start at pct=10, watch, increase gradually.

Going from p=none directly to p=reject; pct=100 in one change is how organizations accidentally block their own password reset emails. The pct= tag exists for exactly this process.

Our DMARC generator builds the exact record text for any stage of this rollout. If you hit unexpected failures mid-transition, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get the exact record text for your next stage of DMARC enforcement.

I'm ready to start moving my DMARC policy from p=none toward p=reject. I need help building the right record for each stage and knowing when to advance. My details: - My current DMARC record: paste it here - My current policy stage: none / quarantine with pct=X / reject with pct=X - How long I've been at this stage: e.g. 3 weeks - What my RUA reports show right now: [describe: who's passing, who's failing, any mystery senders] - Services that send mail for my domain: list all: ESP name, transactional platform, CRM, etc. - Any services currently failing alignment: yes/no, which ones - Where my RUA reports are going: email address or reporting service - Domain: your sending domain Based on this, what should my next DMARC record look like? And what should I watch for before moving to the next stage?

Edit the yellow boxes, then send to the AI of your choice.