How to set up DMARC (from p=none to p=reject)
DMARC tells receivers what to do when SPF/DKIM fail — and gives you reports on who's sending as you. Here's how to roll it out safely from p=none to p=reject.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer on top of SPF and DKIM. It does two things: tells receivers how to handle mail that fails authentication, and sends you reports of who is sending as your domain — including spoofers and forgotten services.
The record#
DMARC is a TXT record at _dmarc.yourdomain.com. A minimal monitoring record:
v=DMARC1; p=none; rua=mailto:[email protected]| Tag | Meaning |
|---|---|
| p | Policy: none (monitor) · quarantine (spam-folder) · reject (block) |
| rua | Where to send aggregate reports |
| pct | Percentage of mail the policy applies to (ramp-up) |
| sp | Policy for subdomains |
| adkim / aspf | DKIM/SPF alignment mode: r (relaxed, default) or s (strict) |
Roll out in three stages#
- 1
Monitor (p=none)
Publish with p=none and a rua address. Change nothing about delivery; just collect reports for 2–4 weeks to discover every legitimate sender.
- 2
Quarantine (p=quarantine)
Once your real senders pass, move to quarantine — optionally with pct=25 then 100 — so failing mail goes to spam, not the inbox.
- 3
Reject (p=reject)
Finally set p=reject so spoofed mail is blocked outright. This is the goal state and what unlocks BIMI.
Reading the reports#
Aggregate (rua) reports are XML, sent daily by receivers. They show each sending IP, how much mail it sent, and whether SPF/DKIM/DMARC passed. Raw XML is unreadable at scale — use a DMARC report analyzer/dashboard, or a managed DMARC service, to spot unauthenticated legitimate senders (fix them) versus spoofers (ignore or report).
Frequently asked questions
▸ ▾ Is p=none enough?
p=none gives you reporting but zero protection — spoofed mail is still delivered. It's a starting point, not a destination. Move to quarantine then reject once your legitimate senders pass.
▸ ▾ What's the difference between SPF/DKIM passing and DMARC passing?
DMARC additionally requires alignment: the domain that SPF or DKIM authenticated must match your visible From: domain. SPF/DKIM can pass on a hidden domain while DMARC still fails.
▸ ▾ Will DMARC break my email?
Only if you enforce (quarantine/reject) before all your legitimate senders authenticate and align. That's why you start at p=none, read the reports, fix senders, then tighten.
Do it with a free tool
Related guides
Published 2026-07-09 · Updated 2026-07-09 · By Crawlsonar.