Defaults.Exposed › Ispravci › Guides
DMARC p=none to p=reject Without Losing Legitimate Email: The Staged Rollout (2026)
Objavljeno 2026-07-08
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. See how we grade.
Move DMARC from p=none to p=reject in four stages: monitor rua reports for 2–4 weeks, fix every legitimate sender, ramp p=quarantine with pct, then reject — never jump straight to reject. 70,368,600 of 261,086,232 graded domains sit stalled at soft SPF with no DMARC enforcement, according to the Defaults.Exposed census.
This is the operational runbook: a stages table with exit criteria, the record for each stage, the RFC 7489 pct subtlety that changes what “50%” means at reject, and the sp= tag for subdomains. If you’re deciding whether to enforce, read the 6 stages of DMARC maturity first — that’s the framework; and if the policy levels themselves are new to you, what p=none, p=quarantine and p=reject actually mean is the primer. This page is the doing.
Why can’t you jump straight to p=reject?
Because p=reject tells every honoring receiver to bounce mail that fails DMARC — and until you’ve watched your reports, you don’t know what fails. Almost every domain that turns on monitoring discovers legitimate senders it forgot: the CRM, the invoicing tool, a contact form. Jump to reject on day one and that mail doesn’t go to spam; it disappears at SMTP time. Losing an invoice run teaches an organisation to fear DMARC, and the record gets rolled back to p=none permanently — of 261,086,232 graded domains, 37,312,637 are parked exactly there, and only 10.59% (27,640,987) ever reach an enforced policy.
The other reason is alignment. DMARC passes only when SPF or DKIM passes and aligns with the visible From domain — SPF against the Return-Path (RFC5321.MailFrom) domain, DKIM against the signature’s d=. Third-party senders usually pass SPF on their domain, not yours, which is why the fix-every-source stage is mostly about enabling each vendor’s custom-domain DKIM — unpacked in DMARC fails but SPF and DKIM pass.
What are the four rollout stages?
| Stage | Policy record | pct | What happens to failing mail | Exit criteria |
|---|---|---|---|---|
| 1. Monitor | p=none; rua=mailto:… | — | Delivered normally; you receive aggregate reports | 2–4 weeks of reports; every sender in them identified as legitimate or not |
| 2. Fix sources | p=none (unchanged) | — | Still delivered normally | Every legitimate source passes DMARC aligned (custom-domain DKIM per sender); remaining failures are only unknown/spoofed traffic |
| 3. Quarantine ramp | p=quarantine | 10 → 25 → 50 → 100 | Sampled share goes to spam folders; the sampled-out share is treated as p=none (delivered) | 1–2 weeks at pct=100 with zero legitimate mail quarantined |
| 4. Reject | p=reject | 100 | Bounced at SMTP time; sender gets a bounce, recipient sees nothing | Ongoing — keep rua on forever to catch new senders |
Data as of 2026-06-29; policy behaviour per RFC 7489.
Stage 3 is where domains stall or panic. Spam-foldering is recoverable — users find the mail, you loosen pct, you fix the source. Rejection is not recoverable, which is why quarantine at pct=100 running clean is the entry ticket to stage 4.
How do you run the rollout, step by step?
- Run the free scan at defaults.exposed before touching DNS. It confirms your current policy and whether SPF and DKIM are in place underneath — the two legs enforcement stands on.
- Turn on monitoring if you haven’t. Publishing
p=nonewithrua=is the five-minute step in “DMARC policy not enabled”. Collect 2–4 weeks of reports — enough to catch monthly senders like invoicing runs. - Inventory every source in the reports. Sort senders into yours, your vendors’, and unknown. Raw reports arrive as XML — a report-processing tool (or your provider’s dashboard) turns them into a readable sender inventory.
- Make each legitimate source pass aligned. Enable each vendor’s custom-domain DKIM (usually two CNAME records in their dashboard) so signatures carry your domain, not theirs. Prefer DKIM for alignment: it survives forwarding, SPF doesn’t.
- Wait for a clean fortnight. Exit stage 2 only when reported failures are exclusively traffic you don’t recognise — the spoofing you want to block.
- Move to
p=quarantine; pct=10— edit the existing_dmarcTXT record (worked example: IONOS DMARC setup), and watch the syntax: a typo in the policy tag can void the record entirely. Ramp pct to 25, 50, 100 over 2–4 weeks, watching reports and helpdesk tickets. Anything legitimate in spam: drop pct back, fix the source, resume. - Move to
p=rejectafter 1–2 clean weeks atpct=100. Keeprua=on permanently — every new tool your company adopts is a future failing sender.
What does pct actually do? The RFC 7489 subtlety
pct asks receivers to apply your policy to that percentage of failing mail. The subtlety, from RFC 7489 §6.6.4: mail that’s sampled out doesn’t fall back to “deliver normally” — it gets the next-less-severe policy. Under p=quarantine; pct=25, the other 75% is treated as p=none and delivered. But under p=reject; pct=50, the other 50% is quarantined, not delivered. There is no gentle reject: the moment your record says reject, every failing message is at minimum spam-foldered at honoring receivers.
Used deliberately, that’s a feature — p=reject; pct=1 behaves as “quarantine almost everything, reject a trickle”, a legitimate final on-ramp. Two cautions: receivers don’t all implement sampling identically, so treat pct as a rough dial; and remove the tag (or set pct=100) once stage 4 is stable, so your record says what you mean.
What about subdomains — the sp= tag?
By default, subdomains inherit the organizational domain’s policy: p=reject at yourdomain.com covers mail.yourdomain.com too. The sp= tag lets them diverge, in both useful and dangerous directions. Useful: p=quarantine; sp=reject locks down subdomains you never send from while the apex is still mid-ramp — spoofers deliberately target subdomains of monitored domains. Dangerous: a forgotten sp=none silently exempts every subdomain from the reject policy you spent six weeks earning. Check for it at stage 4; if one subdomain genuinely needs a looser policy, publish a _dmarc record on that subdomain instead of loosening all of them.
Does NIS2 mean EU businesses have to do this?
DMARC works identically everywhere — nothing in this runbook changes at an EU border. What changes is the compliance pull. NIS2 Article 21(2)(j) requires in-scope entities to secure their communications, and Commission Implementing Regulation (EU) 2024/2690 spells out the technical requirements for the digital-infrastructure entities it covers — its Annex (point 6.7.2(k)) requires an implementation plan for deploying internationally agreed modern email-security standards, and point 6.7.2(l) requires DNS-security best practices. An enforced DMARC policy, with SPF and DKIM underneath, is the recognised auditable control for spoofing; p=none is demonstrably monitoring, not securing. If your customers are in scope, their supplier questionnaires increasingly ask for exactly this.
Frequently asked questions
How long does the whole rollout take? Six to ten weeks is typical: 2–4 weeks monitoring, 1–3 weeks fixing sources, 2–4 weeks ramping quarantine, then reject. It’s calendar time, not effort — mostly waiting for reports to confirm each change. The 89.41% of 261,086,232 graded domains without an enforced policy (data as of 2026-06-29) mostly aren’t mid-rollout; they never started the clock.
Can I skip quarantine and use p=reject with a low pct instead?
You can — per RFC 7489 §6.6.4, p=reject; pct=10 means 10% rejected and 90% quarantined, roughly late stage 3. But p=quarantine first is easier to reason about, and receivers vary in how faithfully they sample. Either way, stages 1–2 are non-negotiable: no enforcement flavour is safe while legitimate senders still fail.
What about mail I can’t fix — forwarders and mailing lists? Forwarding breaks SPF by design, and some mailing lists rewrite content, breaking DKIM too. Aligned DKIM survives ordinary forwarding, which handles most of it; the small residue is why the quarantine stage exists — spam-foldered mail is recoverable while you assess. Details in forwarded email fails SPF.
Is stopping at p=quarantine good enough?
It’s most of the value, and far better than the 37,312,637 domains parked at p=none (of 261,086,232 graded, data as of 2026-06-29) — but spoofed mail still reaches spam folders, where people fish it out. Reject is the endpoint: only 10.59% of graded domains enforce at all, and finishing is what checkers, insurers and questionnaires credit.
Send the owner the report
If you’re running this rollout for a client or employer, the finish line is showable. Re-run the free scan after p=reject resolves and forward the graded report: the domain moving to an enforced policy, timestamped and in plain English. That one page answers the email-security line on cyber-insurance renewals and NIS2-driven supplier questionnaires better than a screenshot of a DNS panel — and it makes six weeks of careful, invisible work visible to the person who pays for it.
Check your DMARC policy free
See what your policy currently is — and whether SPF and DKIM can carry enforcement — privately and owner-only.
Check your domain → · Fix DMARC → · “DMARC policy not enabled” — the honest first step → · Aggregate data only. Data stored and processed in the EU.