The DMARC Implementation Journey

How to progress from monitoring to full enforcement safely.

Implementing DMARC requires a careful progression from monitoring (p=none) to full enforcement (p=reject). Rushing to reject can break legitimate email delivery.

Phase 1: Monitoring (p=none)

Start with p=none and configure aggregate reports (rua). This mode doesn't affect email delivery—it only collects data. Monitor reports for 2-4 weeks to identify all legitimate email sources. You'll discover third-party services sending as your domain that you may have forgotten about.

Phase 2: Fix Authentication

Review DMARC reports to find unauthenticated senders. Configure SPF and DKIM for each legitimate source. Marketing tools, CRM systems, and transactional email services all need proper authentication. Don't proceed until all legitimate email passes authentication.

Phase 3: Quarantine (p=quarantine)

Move to p=quarantine to send failures to spam folders. This catches spoofing without completely blocking email. Continue monitoring reports to catch any legitimate sources that were missed. Run in quarantine for 2-4 weeks.

Phase 4: Reject (p=reject)

Once confident all legitimate email is authenticated, move to p=reject. This blocks spoofed email entirely. Keep monitoring reports—legitimate sources may change over time. p=reject provides the strongest protection against domain spoofing.

Put the dmarc implementation journey to use. One key, the DMARC Validator API, live in minutes.

Scaling up?

Volume pricing, custom SLAs, and dedicated support for high-traffic teams.

Contact sales