How are DMARC enforcement requirements evolving?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If you're sitting at p=none right now, you're not alone. That's where most senders started after Gmail and Yahoo Mail rolled out their bulk sender requirements in February 2024. But p=none was always meant to be a starting point, not a destination.

Here's the direction the industry is heading. The 2024 mandates required bulk senders to have DMARC at p=none as a minimum. That got millions of domains set up and collecting aggregate report data for the first time. The next step, which mailbox providers have signaled is coming, is expecting senders to move toward p=quarantine or p=reject. No firm global deadline exists yet, but Google has publicly indicated it plans to tighten expectations over time.

The practical timeline most senders should plan around looks something like this. Spend 30 to 60 days at p=none reviewing your aggregate reports. You're looking for any legitimate email streams that aren't passing SPF or DKIM. Third-party tools, forgotten subdomains, and old ESP integrations are the usual culprits. Fix those first. Then move to p=quarantine, which sends unauthenticated mail to spam instead of the inbox. Watch for another 30 days. When your pass rates are consistently clean, move to p=reject, which is the full enforcement mode that actively stops domain spoofing cold.

The risk of staying at p=none forever isn't just about future mandates. It means anyone can send email pretending to be your domain right now, and nothing stops it from reaching your customers' inboxes. That's a brand trust problem, not just a deliverability problem.

If you're unsure what your DMARC record currently says or what your aggregate reports are actually telling you, you can parse it quickly with our free DMARC parser. And if enforcement feels overwhelming, our SOS hotline is free, no pitch attached.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Build my DMARC migration plan

We're currently at DMARC p=none and collecting aggregate reports. Based on where enforcement is heading, help me build a realistic migration plan. What should I check in my aggregate reports before moving to p=quarantine? What failure modes should I watch for? And what's a safe timeline to reach p=reject without breaking legitimate email streams?

Edit the yellow boxes, then send to the AI of your choice.