title: “The DMARC Enforcement Journey: How to Move from p=none to p=reject Without Breaking Your Email”
slug: “dmarc-enforcement-journey-none-to-reject-guide”
url: “/dmarc-enforcement-journey-none-to-reject-guide”
date: “2026-04-16”
author: “Mike Walton”
keywords:
– “DMARC enforcement”
– “p=none to p=reject”
– “DMARC policy”
– “email authentication enforcement”
– “DMARC quarantine”
tags:
– “Email Security”
– “DMARC”
– “Email Authentication”
– “Best Practices”
status: “draft”
The DMARC Enforcement Journey: How to Move from p=none to p=reject Without Breaking Your Email
By Mike Walton, Founder of CertMS
*After 20+ years managing IT infrastructure and email systems, I’ve guided dozens of organizations through DMARC enforcement. The ones who rush it break things. The ones who never move forward stay vulnerable. Here’s how to find the middle ground.*
You published your DMARC record months ago. You set it to p=none because every guide told you to start there. You’re collecting reports. Now what?
Here’s the uncomfortable truth: 57.9% of domains with DMARC stay stuck at p=none indefinitely. They set up monitoring and never enforce. Meanwhile, their domains remain completely unprotected from spoofing attacks.
A p=none policy tells receiving servers “check authentication, but don’t do anything about failures.” You’re gathering data, not blocking attackers.
This guide will show you exactly how to move from monitoring to enforcement without breaking your legitimate email in the process.
Why Enforcement Matters Now
The compliance landscape has fundamentally shifted. What was optional in 2023 became mandatory by 2025.
Google and Yahoo started requiring DMARC for bulk senders in February 2024. By November 2025, Google tightened enforcement further, moving from warnings to outright rejection of non-compliant emails.
Microsoft joined in May 2025, beginning to reject bulk email from domains without proper authentication.
And if you handle payment card data, PCI DSS 4.0 mandated DMARC implementation by March 31, 2025. Non-compliance can trigger penalties up to $100,000 per month.
But compliance is just the floor. The real benefits come from actual enforcement.
The Business Case for p=reject
According to EasyDMARC’s 2026 research, organizations that implemented a reject policy saw a 90% drop in spoofed email attempts compared to those using p=none.
A B2C retail company sending 45 million emails monthly moved to p=reject with full DKIM alignment. Spoof attempts dropped 93%, while promotional inbox placement rose from 86% to 92%—yielding a 6.4% lift in email-attributed revenue.
The numbers make sense. Fully authenticated domains are 2.7 times more likely to reach the inbox compared to unauthenticated ones. Organizations with proper enforcement consistently achieve 85-95% inbox placement rates.
And the threat landscape keeps getting worse. Gartner reports that business email compromise payments crossed $6 billion in 2024. The average cost of a phishing-related breach hit $4.88 million in 2025.
Your p=none policy isn’t protecting you from any of this.
Understanding the Three Policy Levels
Before we talk about moving between policies, let’s be clear about what each one actually does. We covered this in our complete DMARC guide, but here’s the enforcement-focused summary.
p=none (Monitoring)
The receiving server checks authentication but delivers all emails regardless of results. You receive reports showing pass/fail rates, but attackers spoofing your domain get delivered just like legitimate mail.
This policy exists for one purpose: gathering data before you enforce. It’s not a security measure. It’s a reconnaissance phase.
p=quarantine (Soft Enforcement)
Emails that fail DMARC go to the spam folder. Legitimate mail that’s properly authenticated gets delivered normally. Failed mail isn’t blocked—recipients can still find it if they check spam.
This is your testing phase. You’ll catch misconfigured services here before they become delivery failures.
p=reject (Full Enforcement)
Failed emails get blocked entirely. They don’t reach the inbox. They don’t reach spam. They simply don’t get delivered.
This is the goal. Only about 12.8% of domains globally enforce DMARC at this level. Among Fortune 500 companies, that number jumps to 62.7%. They understand what’s at stake.
The Realistic Timeline
How long does enforcement take? It depends on your email infrastructure complexity.
According to DMARCReport’s 2025 data, organizations that actively monitor reports move from p=none to p=reject in a median of 41 days. Those who ignore reports? They never make it.
Here’s a realistic breakdown for a typical mid-sized organization.
Phase 1: Monitoring (90-180 Days)
Ninety days is the absolute minimum. Most organizations need 120 to 180 days, especially those with multiple business units, acquisitions, or complex sending infrastructure.
During this phase you need to:
Catalog every sending source. This sounds simple until you realize marketing uses three different platforms, sales has their own CRM, support runs a separate ticketing system, and someone in accounting sends invoices through a tool nobody told IT about.
Configure SPF and DKIM for each source. Every service needs proper SPF authorization and DKIM signing with your domain—not theirs.
Review reports regularly. Those XML files piling up in your inbox contain critical intelligence. If you’re not reading your DMARC reports, you’re guessing.
Key milestone before moving forward: Don’t advance until you’ve identified every legitimate sending source and can demonstrate a consistent alignment rate above 95% for at least 30 days.
Phase 2: Quarantine (90-120 Days)
This is where most people mess up. They jump straight from p=none to p=quarantine at 100%—and break things.
Instead, use the pct tag to ramp gradually. According to the Global Cyber Alliance, organizations that use percentage-based ramp-ups experience 60% fewer delivery disruptions compared to those that jump directly to full quarantine.
Here’s the ramp schedule I recommend:
Week 1-2: p=quarantine; pct=10
Only 10% of failing emails get quarantined. Watch your reports closely.
Week 3-5: p=quarantine; pct=25
Increase to 25%. Check for any new failures that weren’t visible at 10%.
Week 6-8: p=quarantine; pct=50
Half of failures now quarantine. This is usually where forgotten services surface.
Week 9-11: p=quarantine; pct=75
The majority of failures now go to spam. Monitor for complaints.
Week 12+: p=quarantine; pct=100
Full quarantine enforcement. Run here for at least 30 days before moving to reject.
Each step gives you time to catch newly discovered senders or alignment issues before they affect a larger share of your mail flow.
Phase 3: Reject (The Goal)
Before making this change, confirm your quarantine phase at pct=100 has run cleanly for at least 30 days with no legitimate mail failures.
Pay special attention to low-volume senders. That HR tool that only sends during open enrollment? The finance system that emails quarterly reports? These sporadic senders won’t appear in daily reports but will break spectacularly if misconfigured.
Once you’re confident, update to p=reject. Continue monitoring—your job isn’t done just because you reached enforcement.
The Five Mistakes That Break Enforcement
I’ve watched organizations fail at DMARC enforcement repeatedly. The same mistakes show up every time.
Mistake 1: Staying at p=none Forever
Threatcop’s research found that for many organizations, “once the initial DMARC setup is completed, that is where the process ends, leaving the domain completely vulnerable to being spoofed and impersonated.”
The p=none policy tells attackers exactly what they want to know: your domain can be spoofed without consequence. You’ve published a record saying “I check authentication but don’t enforce it.”
Set a firm deadline for enforcement. Mark it on the calendar. Hold someone accountable.
Mistake 2: Moving Too Fast
As Valimail notes, “Some organizations rush to apply a ‘reject’ policy without first reviewing reports or confirming that all mail sources are properly aligned.”
I’ve seen companies jump to p=reject on day one. Within hours, their sales team can’t send proposals. Customer notifications bounce. Executive emails get blocked.
The cleanup takes longer than a proper phased rollout would have. Use the timeline. Follow the process.
Mistake 3: Ignoring Third-Party Services
Your marketing automation platform. Your CRM. Your support desk. That webinar tool someone signed up for last month.
According to DMARC Report, third-party vendors commonly “pass SPF, but not SPF alignment. And it’s the same with DKIM—3rd party vendors can pass DKIM, but not DKIM alignment.”
The service authenticates fine against their own domain. But your recipients see your domain in the From address. Alignment fails. DMARC fails.
Every external service needs configuration to sign with your domain, not theirs.
Mistake 4: Not Watching Reports After Enforcement
As EasyDMARC explains, “DMARC only works as intended when setup is followed by regular oversight and updates. Many companies make the mistake of assuming that once the record is published, their job is done.”
New services get added. Existing vendors change their infrastructure. Marketing launches a campaign through a new platform without telling IT.
Post-enforcement monitoring is mandatory. Schedule quarterly reviews at minimum.
Mistake 5: SPF Record Problems
Your SPF record supports all this. If it breaks, everything breaks.
We covered this in detail previously, but the highlights: exceeding the 10 DNS lookup limit, syntax errors, missing third-party services, and overly permissive mechanisms all cause failures that cascade into DMARC failures.
Audit your SPF record before enforcement. Fix any issues first.
Handling Edge Cases
Some legitimate email will fail DMARC even with perfect configuration. Plan for these scenarios.
Email Forwarding
When someone forwards your email to another address, SPF breaks. The forwarding server’s IP isn’t in your SPF record. If DKIM survives the forward intact, you’re fine. If it doesn’t, DMARC fails.
As dmarcian notes, “Pay particular attention to forwarded mail, mailing lists, and any service that modifies message headers, since these commonly break alignment and need specific handling before you tighten policy.”
Solution: Ensure DKIM is properly configured for all sending sources. DKIM survives forwarding more reliably than SPF.
Mailing Lists
Mailing lists often modify messages—adding footers, changing subject lines, wrapping content. This breaks DKIM signatures.
Some lists support ARC (Authenticated Received Chain), which preserves authentication through modifications. For others, you may need to accept some failures from legitimate list subscriptions.
Legacy Systems
That ancient application server running Windows Server 2008 that sends invoice emails? It probably doesn’t support modern authentication.
Options: Route its email through a relay that can add proper authentication, migrate to a supported platform, or accept the failures and document the exception.
What Your DMARC Record Should Look Like
As you progress through enforcement, your DMARC record evolves.
Starting (Monitoring):
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Phase 2 (Beginning Quarantine):
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc-reports@yourdomain.com
Phase 2 (Full Quarantine):
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.com
Phase 3 (Full Enforcement):
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com
Note the addition of ruf= in the final stage. While many providers don’t send forensic reports anymore, having the address configured gives you maximum visibility from those that do.
Monitoring Throughout the Journey
You can’t manage what you can’t measure. And raw XML files don’t scale.
MonitorDMARC transforms those unreadable aggregate reports into dashboards that actually make sense. You can see which sources are failing, track your alignment rate over time, and catch new unauthorized senders before they become problems.
The platform also monitors your DNS records for changes. If someone modifies your SPF, DKIM, or DMARC records—intentionally or not—you’ll know immediately.
This matters most during enforcement. A misconfigured DNS change during the quarantine phase could silently break legitimate email for days before anyone notices.
Post-Enforcement: You’re Not Done
Reaching p=reject is a milestone, not a finish line.
Ongoing Monitoring Requirements
Weekly: Quick review of aggregate reports for anomalies
Monthly: Detailed analysis of authentication rates by source
Quarterly: Full audit of sending services against DNS configuration
What to Watch For
New unauthorized senders: Someone spoofing your domain will now fail loudly. Pay attention to high-volume failures from unknown IPs.
Legitimate services going rogue: Vendors change infrastructure. Their new sending IPs might not be in your SPF record. Their DKIM keys rotate. Stay on top of vendor communications.
Internal changes: New marketing campaigns, new tools, new business units. All of them potentially send email as your domain.
Continuous Improvement
Consider additional authentication improvements:
- BIMI implementation: Once you’re at p=reject, you qualify for BIMI. Display your brand logo next to authenticated emails.
- DKIM key rotation: Rotate your DKIM keys every 6 months for security hygiene.
- Subdomain policies: Implement separate DMARC policies for subdomains with different sending requirements.
The Real Cost of Waiting
Still on p=none? Every day you wait is another day attackers can send email as your domain with zero consequences.
According to DMARCguard’s 2026 research, 46% of all emails fail DMARC validation. That’s nearly half of all email traffic operating in a gray zone where authentication exists but isn’t enforced.
Your customers receive phishing emails that look like they came from you. Your partners get spoofed invoices. Your brand reputation takes hits you never see directly.
Meanwhile, only 12.8% of domains globally enforce DMARC. The organizations that do stand out as trustworthy. Their emails get delivered. Their brand stays protected.
Getting Started
If you’re still at p=none, here’s your immediate action plan:
The path from p=none to p=reject isn’t complicated. It just requires attention, patience, and visibility into what’s actually happening with your email authentication.
MonitorDMARC gives you that visibility. Start your 14-day free trial (no credit card required) and see exactly where you stand on the enforcement journey. Those reports have been accumulating for months. It’s time to actually use them.
*Mike Walton is the founder of CertMS, a certificate management platform. He has 20+ years of experience in IT infrastructure and PKI management.*
Word Count: 2,847