Crawlsonar
Email & deliverability2 min readUpdated 2026-07-09

How to set up DMARC (from p=none to p=reject)

DMARC tells receivers what to do when SPF/DKIM fail — and gives you reports on who's sending as you. Here's how to roll it out safely from p=none to p=reject.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer on top of SPF and DKIM. It does two things: tells receivers how to handle mail that fails authentication, and sends you reports of who is sending as your domain — including spoofers and forgotten services.

The record#

DMARC is a TXT record at _dmarc.yourdomain.com. A minimal monitoring record:

v=DMARC1; p=none; rua=mailto:[email protected]
TagMeaning
pPolicy: none (monitor) · quarantine (spam-folder) · reject (block)
ruaWhere to send aggregate reports
pctPercentage of mail the policy applies to (ramp-up)
spPolicy for subdomains
adkim / aspfDKIM/SPF alignment mode: r (relaxed, default) or s (strict)

Roll out in three stages#

  1. 1

    Monitor (p=none)

    Publish with p=none and a rua address. Change nothing about delivery; just collect reports for 2–4 weeks to discover every legitimate sender.

  2. 2

    Quarantine (p=quarantine)

    Once your real senders pass, move to quarantine — optionally with pct=25 then 100 — so failing mail goes to spam, not the inbox.

  3. 3

    Reject (p=reject)

    Finally set p=reject so spoofed mail is blocked outright. This is the goal state and what unlocks BIMI.

Watch out: Don't jump straight to p=reject. If a legitimate service isn't authenticated yet, you'll block your own mail. Use the reports to fix alignment first.

Reading the reports#

Aggregate (rua) reports are XML, sent daily by receivers. They show each sending IP, how much mail it sent, and whether SPF/DKIM/DMARC passed. Raw XML is unreadable at scale — use a DMARC report analyzer/dashboard, or a managed DMARC service, to spot unauthenticated legitimate senders (fix them) versus spoofers (ignore or report).

Frequently asked questions

Is p=none enough?

p=none gives you reporting but zero protection — spoofed mail is still delivered. It's a starting point, not a destination. Move to quarantine then reject once your legitimate senders pass.

What's the difference between SPF/DKIM passing and DMARC passing?

DMARC additionally requires alignment: the domain that SPF or DKIM authenticated must match your visible From: domain. SPF/DKIM can pass on a hidden domain while DMARC still fails.

Will DMARC break my email?

Only if you enforce (quarantine/reject) before all your legitimate senders authenticate and align. That's why you start at p=none, read the reports, fix senders, then tighten.

Do it with a free tool

Related guides

Published 2026-07-09 · Updated 2026-07-09 · By Crawlsonar.