Moving from DMARC monitoring to enforcement is one of the most critical decisions in your email security journey. Done correctly, it protects your domain from spoofing and phishing while maintaining legitimate email flow. Done incorrectly, it can block important business emails and damage your reputation with partners and customers.
This guide provides a step-by-step roadmap for safely progressing your DMARC policy from p=none (monitoring) through p=quarantine (partial enforcement) to p=reject (full enforcement), with specific criteria and checkpoints at each stage.
Understanding the Three DMARC Policies
p=none
Action: Monitor only, no enforcement
Risk Level: Zero impact on delivery
Purpose: Discovery phase - identify all legitimate email sources
p=quarantine
Action: Mark as spam, but don't reject
Risk Level: Low - emails still delivered
Purpose: Testing phase - validate authentication before full enforcement
p=reject
Action: Block unauthenticated email
Risk Level: High - failed emails are rejected
Purpose: Full protection - maximum security
💡 Key Concept: The Percentage Tag
You can use the pct= tag to apply your policy to only a percentage of email. For example, p=quarantine; pct=25 applies quarantine to 25% of failing messages, allowing gradual rollout.
The Safe Progression Roadmap
Phase 1: Monitoring Mode (p=none)
Duration: 4-6 weeks minimum
DMARC Record:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com;
Goals:
- Collect reports from all major email receivers
- Identify all legitimate email sources (mail servers, marketing platforms, SaaS tools)
- Establish baseline email volume and patterns
- Configure SPF and DKIM for all identified sources
Success Criteria Before Moving to Phase 2:
- ✓ At least 4 weeks of complete report data
- ✓ 95%+ pass rate for legitimate email sources
- ✓ All business-critical sources identified and documented
- ✓ SPF record optimized (under 10 lookups)
- ✓ DKIM signing enabled and validated
- ✓ Monthly/quarterly email patterns captured
⚠️ Common Mistake
Many organizations progress too quickly from monitoring. Wait at least 4-6 weeks to ensure you capture infrequent senders like monthly reports, quarterly statements, or HR systems that only send during onboarding.
Phase 2: Gradual Quarantine (p=quarantine with pct)
Duration: 2-4 weeks per percentage level
DMARC Record Progression:
Week 1-2: 10% quarantine
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com;
Week 3-4: 25% quarantine
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com;
Week 5-6: 50% quarantine
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.com;
Week 7-8: 100% quarantine
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com;
Monitoring at Each Step:
- Watch for customer complaints about missing emails
- Monitor spam folder placement rates if possible
- Track any new authentication failures in reports
- Verify no business impact from quarantine policy
Success Criteria Before Moving to Phase 3:
- ✓ Zero complaints about legitimate email delivery
- ✓ 98%+ pass rate maintained
- ✓ No new legitimate sources discovered
- ✓ Stakeholder buy-in for reject policy
Phase 3: Gradual Reject (p=reject with pct)
Duration: 2-4 weeks per percentage level
DMARC Record Progression:
Week 1-2: 10% reject
v=DMARC1; p=reject; pct=10; rua=mailto:dmarc@yourdomain.com;
Week 3-4: 25% reject
v=DMARC1; p=reject; pct=25; rua=mailto:dmarc@yourdomain.com;
Week 5-6: 50% reject
v=DMARC1; p=reject; pct=50; rua=mailto:dmarc@yourdomain.com;
Week 7-8: 100% reject
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com;
Critical Monitoring:
- Establish 24/7 monitoring process
- Set up alerts for any authentication failures
- Have rollback plan ready (revert to quarantine if needed)
- Communicate policy change to stakeholders
🚨 High Alert Phase
This is where email can actually be blocked. Monitor closely and have a rapid response plan. Any legitimate email that starts failing must be fixed immediately.
Phase 4: Full Enforcement & Maintenance
Final DMARC Record:
v=DMARC1; p=reject; aspf=r; adkim=r; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensic@yourdomain.com; fo=1;
Ongoing Tasks:
- Weekly report review for new sources or anomalies
- Update SPF/DKIM when adding new email services
- Test authentication before deploying new email-sending applications
- Monitor pass rates to ensure they stay above 98%
- Document changes to email infrastructure
Alternative Progression Strategies
Strategy 1: Aggressive Progression (High-Risk Tolerance)
For organizations with simple email infrastructure and high confidence:
- 4 weeks monitoring (p=none)
- 2 weeks quarantine at 100% (p=quarantine)
- 2 weeks reject at 50% (p=reject; pct=50)
- Full reject (p=reject)
Total time: ~2 months
Strategy 2: Conservative Progression (Low-Risk Tolerance)
For organizations with complex email infrastructure or low risk tolerance:
- 8-12 weeks monitoring (p=none)
- 4 weeks gradual quarantine with 10%, 25%, 50%, 100%
- 4 weeks quarantine at 100%
- 8 weeks gradual reject with 10%, 25%, 50%, 75%, 100%
Total time: 6+ months
Strategy 3: Subdomain-First Progression
Enforce on low-risk subdomains first:
- Set p=reject for subdomains with no legitimate email (e.g., api.yourdomain.com)
- Progress marketing subdomains (e.g., news.yourdomain.com)
- Finally, enforce on primary domain
Decision Factors: When to Progress
| Factor | Ready to Progress | Not Ready |
|---|---|---|
| Pass Rate | 98%+ passing | Below 95% |
| Time in Current Phase | Minimum duration met | Too early |
| Unknown Sources | All identified | New sources appearing |
| User Complaints | Zero complaints | Any delivery issues |
| SPF Record | Under 10 lookups | At or over limit |
| Stakeholder Approval | Full buy-in | Concerns remain |
Handling Progression Issues
Problem: Legitimate Email Starts Failing
Immediate Actions:
- Identify the source from DMARC reports
- Contact the service provider or check their documentation
- Add their SPF include or IP to your SPF record
- Enable DKIM signing if available
- Test authentication before widespread deployment
If Urgent: Temporarily roll back to previous policy level while fixing authentication.
Problem: Pass Rate Suddenly Drops
Common Causes:
- New email service deployed without authentication setup
- Third-party service changed infrastructure
- DKIM keys rotated without updating DNS
- SPF record modified incorrectly
Response: Investigate immediately, pause progression if needed, fix authentication issues before continuing.
Problem: Increased Spoofing Attempts Detected
This is actually a success indicator! Your DMARC reports are now showing attempted spoofing that would have previously gone undetected.
Action: Document the attempts, continue progression. This validates the need for enforcement.
Progression Checklist
Use this checklist before advancing to the next policy level:
Before Quarantine:
- Monitored for at least 4 weeks
- 95%+ pass rate achieved
- All legitimate sources identified and authenticated
- SPF record optimized (under 10 lookups)
- DKIM signing enabled and verified
- Stakeholder communication completed
Before Reject:
- Quarantine policy tested for at least 4 weeks
- 98%+ pass rate maintained
- Zero legitimate email delivery issues
- 24/7 monitoring process established
- Rollback plan documented and tested
- Executive approval obtained
Conclusion
DMARC policy progression is a marathon, not a sprint. The total timeline from p=none to p=reject typically takes 3-6 months for most organizations. While this may seem slow, it's necessary to ensure:
- All legitimate email sources are properly authenticated
- No business disruption occurs
- Stakeholders are informed and prepared
- Your domain gains maximum protection against spoofing
Remember: It's always better to progress slowly and safely than to rush and block legitimate email. The end goal—full DMARC enforcement at p=reject—is worth the careful journey.
Automate Your DMARC Progression
DMARC Busta provides AI-powered progression recommendations and automated policy updates for safe, confident enforcement.
Start Free Trial
