Guide

How to Move from DMARC p=none to p=reject Safely

Moving from p=none to p=reject takes 4-8 weeks if you do it right. Rush it and you block legitimate email. Skip it and your domain stays unprotected indefinitely. Here's the exact sequence.

Updated

You already have a TXT on _dmarc. The question is whether you'll ever leave p=none. This roadmap pairs with the full DMARC guide, policy stages, and DMARC Report Analyzer. Check live DNS anytime on domainpreflight.dev.

Why Most Domains Never Leave p=none

The data is clear — roughly 40% of domains with DMARC are still at p=none. Most were set up under deadline pressure and never upgraded.

The reason is always the same: no clear next step. The record is live, the green tick is showing, and nothing is visibly broken. So nothing changes.

This page is the next step. Read why p=none still leaves you exposed.

The Complete Roadmap

Stage 1 — Monitoring (Week 1-2)

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Goal: collect reports, identify all senders.

Stage 2 — Fix Alignment (Week 2-4)

Fix every failing sender in your reports. Use DomainPreflight DMARC Report Analyzer. See alignment and aggregate reports.

Stage 3 — Partial Enforcement (Week 4-5)

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com

Goal: test enforcement on 10% of mail.

Stage 4 — Full Quarantine (Week 5-6)

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

Goal: all failing mail goes to spam.

Stage 5 — Full Enforcement (Week 6-8)

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Goal: all failing mail blocked. DMARC policy reference.

The Checklist — Before Each Stage

Before moving to p=quarantine:

Before moving to p=reject:

How to Read Your Reports

Paste your DMARC XML into DomainPreflight DMARC Report Analyzer.

Green rows = aligned, passing.

Orange rows = partial failure — fix before proceeding.

Red rows = both fail — investigate before proceeding.

If you see red rows from IPs you don't recognise — that's spoofing. That's exactly what p=reject will stop.

Fixing Alignment Failures

Most failures come from third-party senders using their own domain for Return-Path or DKIM.

Fix by provider:

See the DMARC provider fix guides for exact steps per provider.

After p=reject — What Changes

Spoofed emails from your domain are blocked before they reach inboxes. Legitimate email from aligned senders is completely unaffected.

You'll continue receiving aggregate reports. Check them monthly to catch any new senders that need alignment.

Tool: See your live policy before you change another tag.

Check your current DMARC policy →

Also read: DMARC policy · DMARC alignment · DMARC aggregate report · DMARC p=none · DMARC fixes · p=none problem · none vs quarantine vs reject · DMARC guide · DomainPreflight · DMARC Analyzer

Step by step

Step 1 Set p=none + rua= → collect reports for 2 weeks
Step 2 Open DMARC Report Analyzer → identify all failing senders
Step 3 Fix alignment for every failing sender
Step 4 Move to p=quarantine pct=10 → monitor for 1 week
Step 5 Move to p=quarantine pct=100 → monitor for 1 week
Step 6 Move to p=reject → full enforcement active

FAQ

How long does it take to safely reach p=reject?

4-8 weeks if you follow the roadmap. 2 weeks at p=none, fix alignment failures, 1-2 weeks at quarantine, then reject.

What if I rush straight to p=reject?

Legitimate email from unaligned senders gets blocked. Fix all alignment failures first — then p=reject is safe.

How do I know when it's safe to move to the next stage?

Your DMARC aggregate reports must show 95%+ pass rate before moving to quarantine, 99%+ before p=reject. Use DMARC Report Analyzer to check.

Do I need to stay at quarantine before reject?

Yes — quarantine is the safety net. It catches legitimate email that somehow slips through so you can fix it before p=reject blocks it.

What happens to spoofed emails after p=reject?

They are rejected before reaching the inbox. The sending server receives a 550 rejection. You see the attempt in your aggregate reports.

← All learning guides

Open DomainPreflight →