Get to p=reject without breaking mail
A DMARC policy of p=none monitors mail but protects nobody. The goal is enforcement - but advancing blindly risks blocking real mail. DMARCER de-risks the whole journey, stage by stage, and shows the impact before you ever flip the switch.
Enforcement ladders to choose from
Reject impact shown before you advance
Layers: DMARC + MTA-STS + TLS-RPT
The reason most domains never reach enforcement
Publishing p=none feels like progress, but it does nothing to stop an attacker – it only turns on reporting. A receiving mail server reads none as “take no action,” so a spoofed message still lands in the inbox. Real protection only begins at p=quarantine (send failing mail to spam) and p=reject (refuse it outright). Everything before that is monitoring, not defence.
So why do so many domains sit at none for years? Fear – the entirely reasonable fear of breaking a legitimate sender you forgot about. Flip to reject with one unauthorised-but-real service still failing, and you start bouncing your own invoices, newsletters or signup emails. The cost of getting it wrong is so visible that the safe-feeling choice is to never advance at all. DMARCER’s whole job here is to remove that fear by replacing guesswork with evidence.
Why this matters – whoever you are
- Running your own domains? You reach real protection without gambling that you’ve remembered every sender.
- Managing clients? You move a whole estate of domains to enforcement on a repeatable, defensible process – not domain-by-domain nerve.
A ladder that matches your appetite for risk
Getting from none to reject isn’t one jump – it’s a series of steps, often raising the share of mail a policy applies to before tightening the policy itself. DMARCER ships ready-made enforcement ladders that set how cautiously you climb, and how much evidence each rung needs before it’s safe to take. Pick the one that suits the domain, or define your own.
Aggressive
Advance fast on smaller samples. Best for simple domains with few senders, where you want to reach reject quickly.
Balanced
The sensible default. Enough evidence to be confident, without dragging the journey out for months.
Conservative
Longer observation windows and higher confidence before each step – for busy or business-critical domains.
Custom
Set the thresholds yourself – the windows and confidence levels that match your own policy and risk rules.
A readiness verdict for every domain
Against the ladder you’ve chosen, DMARCER scores each domain’s readiness to take its next step and reduces it to one of three plain states. No spreadsheets, no interpreting raw report data – just a clear answer to “can I safely advance this one yet?”
Across an estate, that turns a daunting project into a worklist: the Ready domains you can advance today, the Almost ones that need a little more evidence, and the Not ready ones with real work outstanding – each pointing you at what to do next.
- Ready – safe to advance to the next rung now
- Almost – close; needs a little more evidence or a small fix
- Not ready – real work outstanding before it’s safe
- Scored per domain, against your chosen ladder
See what would be blocked – before you commit
The fear of enforcement comes from not knowing the impact. So DMARCER projects it for you, in your own current mail: “if you advance now, this much of your current mail would be quarantined or rejected.” That single number is the whole decision. When it’s zero, you advance with confidence. When it isn’t, you can see whether the affected mail is something that should fail – spoofing and abuse you want blocked – or a legitimate sender you still need to authorise first.
Either way, the projection names the exact senders standing between you and the next rung, so you’re never advancing on a hunch and never left guessing what to fix.
- Projected reject / quarantine impact before you move
- Measured against your own recent mail, not a guess
- Advance when it’s zero – or covers only mail that should fail
- The exact senders standing in the way, called out
Enforcement is more than DMARC
Reaching p=reject stops mail being spoofed, but real protection also covers how mail is carried. DMARCER tracks three layers together and rolls them into a single “fully enforced” status – so you don’t declare victory on DMARC while transport security is still wide open.
DMARC
The policy that tells receivers to quarantine or reject mail failing authentication – the layer that stops spoofing of your domain.
MTA-STS
Requires that mail to you is delivered over an encrypted, properly-certified connection – closing off downgrade and interception attacks in transit.
TLS-RPT
Reports back when those encrypted-delivery attempts fail, so a transport problem surfaces instead of failing silently.
One status across all three means “fully enforced” actually means it. Before you start the climb, pair this with source identification to authorise the good senders first – the surest way to drive that projected-impact number to zero.
If you run your own domains
You move from monitoring to real protection on evidence, not nerve – advancing only when the projected impact says it’s safe, and reaching a fully-enforced status across DMARC, MTA-STS and TLS-RPT.
If you manage clients
You run a repeatable enforcement process across every client – readiness scored per domain, a defensible “here’s why it was safe” for each step, and a clear worklist of which domains advance next.
Where this fits in the platform
Source identification →
Authorise the good senders before you enforce.
Hosted SPF →
Keep SPF valid as you authorise more senders.
Forensic analysis →
Understand each failure before you act on it.
For MSPs →
Drive enforcement across a whole client base.
Find out how close you are to enforcement
Run a free check to see your current policy and posture – then climb the ladder safely.
Check your domain