Skip to content
← All articles

Migrating DMARC to p=reject Safely

Short answer. Never jump straight to p=reject. Start at p=none and collect RUA reports for 2–4 weeks to discover every sending source. Then move to p=quarantine with a low pct (10–25%) and ramp it up. Only after all legitimate streams pass SPF or DKIM alignment should you switch to p=reject. A sudden cutover almost always drops some mail.

Why you cannot enable p=reject immediately

DMARC relies on alignment: the domain in the From: header must match the domain that passed SPF or DKIM. Many services (CRM, billing, newsletters) send on your behalf but are not aligned. Enabling reject blindly bounces their mail at the recipient.

The safe-migration rule: observe first, quarantine a small slice next, and only then reject. Each step is data, not a guess.

Stage 1. Monitoring mode p=none

Publish the record in DNS and wire up an aggregate-report (RUA) mailbox:

_dmarc.example.com. IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1; adkim=r; aspf=r"

Over 2–4 weeks mailbox providers send XML reports listing the sources that pass and fail.

Stage 2. Quarantine with a pct slice

Once the main streams are aligned, turn on quarantine for a quarter of traffic, not all of it:

_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com; fo=1; adkim=s; aspf=s"

Watch RUA for another week, then raise pct to 50, 75 and 100.

Stage 3. Full rejection p=reject

_dmarc.example.com. IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com; fo=1; adkim=s; aspf=s"

At this point every spoofed message from your domain is rejected at the recipient.

Migration timeline

StagePolicy recordDurationWhat to check
1. Observep=none; pct=1002–4 weeksAll sources in RUA
2. Quarantine 25%p=quarantine; pct=251 weekNo legitimate fails
3. Quarantine 100%p=quarantine; pct=1001–2 weeksDelivery stable
4. Rejectp=reject; pct=100permanentSpoofed mail rejected

How to read RUA reports

  • source_ip — who sent mail from your domain;
  • spf / dkim result — pass or fail per mechanism;
  • disposition — what the provider did (none/quarantine/reject);
  • look for alignment failures — those are your future losses.

Common mistakes

  1. Enabling adkim=s; aspf=s (strict) before checking subdomains.
  2. A forgotten sending service that only surfaces after reject.
  3. No monitoring of the DMARC record — it can be overwritten by accident.

Where enterno helps

The /email-check tool parses your domain's SPF, DKIM and DMARC and shows the current policy and alignment. On Pro+ you can upload DMARC RUA reports to analyse sources. Put the _dmarc record on /monitors to get a Telegram alert if the TXT record changes or disappears. enterno does not send your mail — your ESP runs the campaigns; we diagnose and monitor.

FAQ

How long to stay on p=none?

2 to 4 weeks — enough for rare sources (quarterly invoices, seasonal campaigns) to appear in RUA.

Can I skip quarantine and go straight to reject?

Technically yes, but it is risky: quarantine is the safety net where a suspicious message lands in spam instead of being lost.

What is pct?

The percentage of messages the policy applies to. The rest is handled under a softer rule.

Strict or relaxed alignment?

Start with relaxed (adkim=r; aspf=r); move to strict only after confirming subdomains are aligned.

Next: check your domain's DMARC, review DNS records, and read about SPF/DKIM/DMARC, DMARC 2026 enforcement and MX setup.

Check your website right now

Check your site's security →
More articles: Безопасность
Безопасность
Best Website Security Scanners 2026
15.06.2026 · 66 views
Безопасность
Emails Going to Spam: Causes and Fix
23.06.2026 · 28 views
Безопасность
Reading DMARC Aggregate (RUA) Reports
23.06.2026 · 26 views
Безопасность
Email Spoofing Prevention
23.06.2026 · 23 views