How to get to p=reject without breaking mail

A DMARC policy of p=none is a monitoring mode – it protects nobody. Only p=quarantine and p=reject actually stop an attacker sending email as you. Yet most domains never advance, because moving up feels risky: what if you block a legitimate sender you’d forgotten about? Here’s the staged approach that removes the risk.

1. Publish p=none and gather evidence

Start in monitoring mode with aggregate (RUA) reporting on. Within days you’ll see every source sending as your domain – the good, the forgotten, and the malicious.

2. Identify and authorise every legitimate sender

Work through your sources and make sure each genuine one is authenticated and aligned. DMARCER’s source identification names your senders and surfaces the unknown ones by volume, so you fix the biggest gaps first.

3. Advance only when the impact is zero

This is the crucial step. Before you change policy, you should know exactly how much mail it would affect. DMARCER projects it: “if you advance now, this much of your current mail would be quarantined or rejected.” When that number is zero – or only covers mail that should fail – you advance with confidence, from none to quarantine to reject.

4. Don’t stop at DMARC

True protection layers DMARC with transport security – MTA-STS and TLS-RPT – so mail can’t be downgraded even once DMARC passes. DMARCER tracks all three together as a single “fully enforced” state.