Short answer. Never jump straight to p=reject. Start at p=none and collect RUA reports for 2–4 weeks to discover every sending source. Then move to p=quarantine with a low pct (10–25%) and ramp it up. Only after all legitimate streams pass SPF or DKIM alignment should you switch to p=reject. A sudden cutover almost always drops some mail.
Why you cannot enable p=reject immediately
DMARC relies on alignment: the domain in the From: header must match the domain that passed SPF or DKIM. Many services (CRM, billing, newsletters) send on your behalf but are not aligned. Enabling reject blindly bounces their mail at the recipient.
The safe-migration rule: observe first, quarantine a small slice next, and only then reject. Each step is data, not a guess.
Stage 1. Monitoring mode p=none
Publish the record in DNS and wire up an aggregate-report (RUA) mailbox:
_dmarc.example.com. IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1; adkim=r; aspf=r"
Over 2–4 weeks mailbox providers send XML reports listing the sources that pass and fail.
Stage 2. Quarantine with a pct slice
Once the main streams are aligned, turn on quarantine for a quarter of traffic, not all of it:
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com; fo=1; adkim=s; aspf=s"
Watch RUA for another week, then raise pct to 50, 75 and 100.
Stage 3. Full rejection p=reject
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com; fo=1; adkim=s; aspf=s"
At this point every spoofed message from your domain is rejected at the recipient.
Migration timeline
| Stage | Policy record | Duration | What to check |
|---|---|---|---|
| 1. Observe | p=none; pct=100 | 2–4 weeks | All sources in RUA |
| 2. Quarantine 25% | p=quarantine; pct=25 | 1 week | No legitimate fails |
| 3. Quarantine 100% | p=quarantine; pct=100 | 1–2 weeks | Delivery stable |
| 4. Reject | p=reject; pct=100 | permanent | Spoofed mail rejected |
How to read RUA reports
- source_ip — who sent mail from your domain;
- spf / dkim result — pass or fail per mechanism;
- disposition — what the provider did (none/quarantine/reject);
- look for alignment failures — those are your future losses.
Common mistakes
- Enabling
adkim=s; aspf=s(strict) before checking subdomains. - A forgotten sending service that only surfaces after reject.
- No monitoring of the DMARC record — it can be overwritten by accident.
Where enterno helps
The /email-check tool parses your domain's SPF, DKIM and DMARC and shows the current policy and alignment. On Pro+ you can upload DMARC RUA reports to analyse sources. Put the _dmarc record on /monitors to get a Telegram alert if the TXT record changes or disappears. enterno does not send your mail — your ESP runs the campaigns; we diagnose and monitor.
FAQ
How long to stay on p=none?
2 to 4 weeks — enough for rare sources (quarterly invoices, seasonal campaigns) to appear in RUA.
Can I skip quarantine and go straight to reject?
Technically yes, but it is risky: quarantine is the safety net where a suspicious message lands in spam instead of being lost.
What is pct?
The percentage of messages the policy applies to. The rest is handled under a softer rule.
Strict or relaxed alignment?
Start with relaxed (adkim=r; aspf=r); move to strict only after confirming subdomains are aligned.
Next: check your domain's DMARC, review DNS records, and read about SPF/DKIM/DMARC, DMARC 2026 enforcement and MX setup.