dmarcdrift
ProductPricingDocsBlogToolsSign inGet started
Sign in
← Blog
The DMARC Enforcement Roadmap: From p=none to p=reject

June 12, 2026

By DMARCdrift Team

The DMARC Enforcement Roadmap: From p=none to p=reject

8 min readdmarcpolicyenforcementgetting-started

DMARC enforcement is the single most misunderstood part of email authentication. People treat it like a checkbox: publish a record, done. But a DMARC record at p=none does nothing to stop spoofing. It only watches. Real protection lives at p=quarantine and p=reject, and getting there safely is a staged journey, not a switch you flip.

This is the roadmap: every stage from no record at all to full enforcement, what each one actually protects you from, and how long the whole thing takes. Each stage links to a deeper guide if you want the detail.

The four stages, at a glance

DMARC enforcement moves through four states, in order:

Stage Policy What it does
0 No record No policy, no reports, no protection
1 p=none Collects reports, enforces nothing
2 p=quarantine Failing mail goes to spam
3 p=reject Failing mail is blocked outright

The mistake almost everyone makes is stopping at stage 1. Our research found that 73.8% of well-known domains have a DMARC record but only 60.4% actually enforce one — the gap is entirely domains stranded at p=none, believing they are protected when they are not.

How to find your current stage

Before you plan the next step, locate where you are. Check your DMARC record with the DMARC record checker and read the p= tag:

  • No record returned — you are at stage 0. Start with a record.
  • p=none — stage 1. You are collecting data but enforcing nothing. The next step depends on whether your senders are aligned.
  • p=quarantine — stage 2. You have real protection, with a safety net. Confirm your alignment is high and stable before the final move.
  • p=reject — stage 3. You are fully enforced. Your job now is to keep it that way.

One detail trips people up: a policy at p=quarantine or p=reject combined with pct=10 means the policy applies to only 10% of failing mail. The tag matters as much as the policy. If your pct= is below 100, you are partway through a stage, not finished with it.

Stage 0: No DMARC record

If you have no DMARC record, receiving servers have no instruction for what to do with mail that fails authentication, and you get no reports about who is sending under your name. Anyone can spoof your domain and you will never know. This is the worst place to be, and it is also the easiest to fix.

The full consequences of having no DMARC record come down to two losses: no protection and no visibility. The fix is a single DNS record. You can generate a starter record in a minute and confirm it with the DMARC record checker.

Start at p=none deliberately. Publishing p=reject on day one, before you know your sending sources, is how legitimate mail gets blocked.

Stage 1: p=none — monitoring mode

p=none tells receivers to take no action on failures but to send you aggregate reports. This is your data-gathering phase. The reports reveal every source sending mail as your domain: your ESP, your transactional provider, your support desk, that marketing tool someone connected two years ago.

The danger of p=none is comfort. It feels like progress, the reports arrive, nothing breaks — and domains sit there for years. But p=none blocks nothing. A spoofer impersonating your domain sails straight through.

The goal of this stage is to reach the point where every legitimate source is authenticating correctly. The detail of what p=none means and when you're ready to move past it is its own guide, but the short version: stay long enough to identify and fix every sender, and no longer. Most domains should spend one to two weeks here, not one to two years.

Stage 2: p=quarantine — the first real enforcement

p=quarantine is the first policy that actually does something. Mail that fails DMARC alignment is delivered to the spam folder instead of the inbox. This is the safety net before full enforcement: if you missed a legitimate sending source, the cost is a message in spam, not a deleted message.

Move to p=quarantine once your aggregate reports show all known senders passing alignment consistently — a common threshold is 95% or higher aligned mail sustained for two consecutive weeks. Use the DMARC policy simulator to see what enforcement would do to your current mail stream before you commit.

You can also ease into it with the pct= tag, applying the policy to only a fraction of failing mail at first. Start at pct=25, watch for fallout, then ramp to pct=100.

Stage 3: p=reject — full enforcement

p=reject is the destination. Mail that fails DMARC alignment is blocked at the receiving server and never delivered anywhere. This is what actually stops someone from spoofing your domain to your customers.

The decision to move from quarantine to reject is fundamentally a deliverability decision, not just a security one: you are trading a small risk to your own mail for real protection against impersonation. The practical threshold is 98% or higher sustained alignment for a full month at pct=100, with confidence that there are no remaining blind spots.

Once you reach p=reject, the work shifts from configuration to vigilance. New sending sources, expired DKIM keys, and SPF changes can all reintroduce failures, and at p=reject a failure means blocked mail. This is where continuous monitoring stops being optional.

The failure modes after enforcement are predictable. A team signs up for a new marketing tool and sends through it without aligning the domain. A DKIM key rotates and the new selector never gets published. Someone edits the SPF record and pushes it past the ten-lookup limit, silently breaking SPF for every sender. None of these announce themselves. At p=none they would show up as a line in a report nobody reads; at p=reject they show up as mail that quietly stops arriving. The difference between catching them in a day and discovering them when a customer complains is whether something is watching the reports.

The deadline that forced everyone's hand

For years, DMARC enforcement was something diligent teams did and everyone else ignored. That changed in February 2024, when Google and Yahoo began requiring DMARC for bulk senders — anyone sending more than 5,000 messages a day to their users.

The Gmail and Yahoo sender requirements only mandate a DMARC record with a reporting address, which means p=none technically passes. But the deadline pushed millions of domains onto the roadmap for the first time, and the ones that understood the difference between having a record and enforcing one moved straight through to quarantine and reject.

Why most domains stall — and how not to

The enforcement gap exists because p=none is comfortable and the next step feels risky. Moving to enforcement means accepting that you might affect real mail, and without good reporting that feels like flying blind.

It does not have to. Every move up the roadmap is gated by one question: are all my legitimate senders aligned? If you can answer that with confidence, the next stage is safe. If you cannot, you are not ready — and the answer is in your aggregate reports, if someone is reading them.

Putting a calendar on it

The roadmap is shorter than people fear. A domain with a handful of known senders can run it in four to eight weeks:

  • Week 0: publish p=none with a reporting address. Reports begin arriving within 24 to 48 hours.
  • Weeks 1–2: identify every sending source in the reports and fix any that fail alignment. This is the only stage whose length depends on you.
  • Weeks 2–4: move to p=quarantine, optionally with pct= ramping, and confirm nothing legitimate lands in spam.
  • Week 4–8: once alignment holds above 98% for a full month, move to p=reject.

Complex domains — many ESPs, forwarders, acquired brands, legacy senders — take longer, sometimes several months. But the calendar is driven entirely by how long it takes to reach stable alignment. The policy changes themselves are instant; the readiness is what you are waiting on.

That is the entire job of monitoring: turn the raw XML into a clear, current answer to "is anything failing, and is it mine?" so each step up the roadmap is a decision backed by data instead of a leap of faith. DMARCdrift ingests your reports automatically, tracks alignment across every sending source, and alerts you when something drifts — so you reach p=reject and stay there.

The roadmap is not long. For most domains it is a few weeks of attention, not a project. The hard part was never the records. It was knowing when to take the next step.

Try the tool

DMARC Record Checker

Look up any domain's DMARC record, parsed tags, and health grade.

Open →

DMARC Record Generator

Configure your policy, alignment, and reporting addresses and get a ready-to-copy DNS record.

Open →

DMARC Policy Simulator

Simulate how a DMARC policy evaluates any message scenario.

Open →

Keep reading

How to Set Up Email for a New SaaS (The Right Way)

Domain strategy, authentication records, and monitoring setup for indie SaaS : the full email configuration before your first paying customer signs up.

Read →

Gmail and Yahoo sender requirements: what you actually need to do

Google's bulk sender requirements are technically complete but written for enterprise IT. Here's what an indie developer or small SaaS team actually needs — in order, without the filler.

Read →

DMARC p=none: What It Means and What to Do Next

You set up p=none because someone told you to. Here's what it actually means, what risk it leaves open, and exactly when you're ready to move past it.

Read →