From p=none to p=reject: A Practical Enforcement Guide
Moving to DMARC enforcement is the highest-risk step in email security. This guide walks through the 5-phase approach that gets you to p=reject without breaking legitimate mail.
Why organizations stall at p=none
67% of Global 2000 companies have DMARC records, but the majority are stuck at p=none — monitoring only, with no enforcement. The reason is fear: tightening the policy might block legitimate email from marketing platforms, CRM systems, ticketing tools, or partner organizations that send on your behalf.
This fear is justified. Without complete sender visibility, advancing to quarantine or reject is genuinely risky. The solution isn't to skip enforcement — it's to build confidence through systematic classification, simulation, and staged rollout.
The 5-phase enforcement timeline
Phase 1: Monitor (2-4 weeks)
Publish a DMARC record at p=none with reporting enabled. Collect aggregate reports for at least 2 full weeks to capture all sending patterns (some systems only send weekly). During this phase, identify every IP address and domain that sends email using your domain.
Phase 2: Classify senders (1-2 weeks)
For every sender discovered in your aggregate reports, classify them as:
- Authorized — legitimate services you control (marketing platform, CRM, ticketing)
- Unknown — requires investigation (could be a department you didn't know about)
- Unauthorized — spoofing attempts, forwarding artifacts, or retired services
For each authorized sender, verify SPF and DKIM alignment. Fix any gaps before proceeding — add missing SPF includes, configure DKIM signing, or switch to a sender that supports alignment.
Phase 3: Simulate (1 day)
Before changing a single DNS record, run an enforcement simulation. Replay your last 30 days of aggregate report data against the proposed policy (p=quarantine or p=reject) and see exactly which mail streams would be affected.
A good simulation shows you: the percentage of total email volume at risk, which specific senders would fail, and whether those senders are authorized (indicating a fixable alignment gap) or unauthorized (indicating the policy is working correctly).
Phase 4: Quarantine (2-4 weeks)
Advance to p=quarantine with a percentage ramp. Start at pct=25 (only 25% of failing messages go to spam), monitor for one week, then increase to 50%, 75%, and finally 100%. At each stage, check that no legitimate mail is being quarantined.
Phase 5: Reject
Once quarantine at 100% shows zero false positives for at least 2 weeks, advance to p=reject. Spoofed email is now blocked entirely. Your domain is protected.
Keep monitoring after enforcement — new sending services get added, DKIM keys rotate, and SPF records change. Continuous monitoring catches regressions before they affect deliverability.
What to do when things go wrong
If legitimate mail starts failing after a policy change, you need two things: fast detectionand automatic rollback. SpoofSentry provides both — anomaly detection alerts you within minutes, and automatic DNS rollback reverts supported record types to the previous policy through connected providers.