Blog
When Is It Safe to Set DMARC to p=reject?
p=reject is the point where spoofed mail should stop reaching inboxes. It is also the point where a forgotten newsletter tool can silently die. Safety is a data problem — not a calendar problem.
What “clean” means
You want aggregate XML showing only sources you can explain: your MX, Google or Microsoft, each ESP, each app. Random ASNs with volume need investigation before reject.
Alignment matters more than pass. SPF can pass for bounces.example.com while DMARC fails — fix Return-Path and DKIM until alignment holds. Read the DMARC guide for the rollout ladder.
Minimum window
Two weeks is a floor for simple stacks. Four to eight weeks is normal for enterprises. Acquisitions and seasonal tools extend the window.
Rollback plan
Keep screenshots of your DMARC TXT. If reject causes legitimate loss, revert to quarantine or none, fix the sender, re-validate reports, then try again.
Validate before you tighten
DMARC Report Analyzer →FAQ
How long should I wait before p=reject?
At least 2-4 weeks of reports showing all legitimate mail aligned — longer if you have many ESPs.
What must be true in reports?
No unexplained high-volume sources; SPF/DKIM pass and align for known senders.
Can I use pct to sample reject?
Yes — pct=25 then ramp; reduces blast radius if something breaks.
What if marketing uses a new ESP mid-rollout?
Pause policy changes until the new sender is aligned and visible in reports.
Where do I verify alignment?
DomainPreflight DMARC Report Analyzer and DNS Preflight for live DNS.