How do you move from none → reject safely?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Don't jump straight to p=reject. Move in stages and watch your RUA reports at each step. The tool that makes this safe is the pct= tag: it controls what percentage of DMARC-failing messages actually get the policy applied. Use it.
Stage 1: p=none (monitor mode)
p=none means mailbox providers check your mail against DMARC but don't act on failures. You collect data in your RUA reports. Stay here until all your legitimate senders (your ESP, your transactional provider, your CRM) are showing consistent pass results. A few weeks of clean data is worth it.
Stage 2: p=quarantine, starting low
Once your reports look clean, move to:v=DMARC1; p=quarantine; pct=10; rua=mailto:you@yourdomain.com
That pct=10 means only 10% of DMARC-failing messages go to spam. The other 90% are still delivered as if you're on p=none. Watch the reports for a couple of weeks. If no one's complaining about missing email and authentication looks stable, bump to pct=25, then pct=50, then pct=100.
Stage 3: p=reject, same staged approach
At p=quarantine; pct=100 with clean reports, move to:v=DMARC1; p=reject; pct=10; rua=mailto:you@yourdomain.com
Reject means mailbox providers drop the message outright. That's what you want for spoofed mail. But if something you forgot to authenticate gets caught, it's gone. Same staged approach: start at pct=10, watch, increase gradually.
Going from p=none directly to p=reject; pct=100 in one change is how organizations accidentally block their own password reset emails. The pct= tag exists for exactly this process.
Our DMARC generator builds the exact record text for any stage of this rollout. If you hit unexpected failures mid-transition, the SOS hotline is free.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.