How to Move from DMARC p=none to p=reject Without Breaking Your Email
p=none is monitoring mode. Here's how to move to full enforcement safely.
Most domains start their DMARC journey with p=none. That's the right call. It lets you collect
aggregate reports and see what's happening with your email authentication before you start blocking anything.
But p=none doesn't actually protect you. Spoofed messages still get delivered, and mailbox
providers treat your domain the same as one with no DMARC record at all.
The goal is p=reject. Getting there without disrupting your legitimate email takes a few
deliberate steps.
Step 1: Confirm you're receiving DMARC reports
Before changing anything, make sure your DMARC record includes a rua tag pointing to an address
that's actually being monitored. If you're using
Viewleaf Signal, this is
your collector address. If the rua tag is missing or pointing to an inbox nobody checks, you're
enforcing blind.
You can verify your current DMARC record with our DMARC Lookup tool.
Step 2: Identify every legitimate sender
This is the step most people rush through, and it's where things break. Open your DMARC reports and look at every source that's sending email as your domain. You're looking for:
Your primary email provider (Google Workspace, Microsoft 365, etc.). Your marketing platform (Mailchimp, HubSpot, ActiveCampaign). Your transactional email service (SendGrid, Postmark, Amazon SES). Your CRM, helpdesk, invoicing software, or anything else that sends email on your behalf.
Every one of these needs to pass both SPF and DKIM with proper alignment. If any of them show up as failing in your reports, fix that first. Our verification guide walks through exactly how to check each protocol.
The common culprits: a marketing tool you added six months ago that nobody configured DKIM for, or a SaaS product that sends notifications from your domain but isn't in your SPF record. These are easy fixes, but you need to find them before you start rejecting mail.
Step 3: Move to p=quarantine
Once your legitimate sources are all passing, change your DMARC policy from p=none to
p=quarantine:
v=DMARC1; p=quarantine; rua=mailto:your-collector@viewleaf.com;Quarantine tells receiving mail servers to treat failing messages as suspicious. In practice, this usually means they land in spam rather than the inbox. It's the safety net stage. If something legitimate was misconfigured and you missed it in Step 2, it'll show up in spam folders rather than getting silently blocked.
Stay on p=quarantine for at least one to two weeks. Monitor your reports during this period.
If your pass rates hold steady and nobody reports missing emails, you're ready for the final step.
Step 4: Move to p=reject
Change your policy to p=reject:
v=DMARC1; p=reject; rua=mailto:your-collector@viewleaf.com;This tells mailbox providers to block any message that fails DMARC authentication. Spoofed email using your domain stops reaching inboxes entirely. Your domain becomes a much less attractive target for spammers, and your sending reputation is fully protected.
Don't forget your subdomains
One thing that catches people off guard: your DMARC policy only covers your root domain by default. If you
haven't set the sp= tag (subdomain policy), subdomains inherit the parent policy. But attackers
know that most people overlook subdomains, and they'll spoof anything.yourdomain.com if the
parent only covers yourdomain.com.
Once you're on p=reject for your root domain, add sp=reject to cover subdomains
too:
v=DMARC1; p=reject; sp=reject; rua=mailto:your-collector@viewleaf.com;What if something breaks?
Rolling back is easy. Change p=reject back to p=quarantine (or p=none
if needed). DNS propagation is fast, usually minutes. There's no penalty for stepping back temporarily while
you fix a misconfigured sender.
The most common post-enforcement issue is a forgotten sending service. Someone in the company starts using a
new tool that sends email as your domain, and nobody updated SPF or DKIM. Your DMARC reports will show the
failures clearly, so keep monitoring even after you've reached p=reject.
The timeline
For most domains, the full path looks like this: a few weeks on p=none to collect data and fix
issues, one to two weeks on p=quarantine to confirm nothing breaks, then p=reject
permanently. Start to finish, most B2B domains can get to full enforcement within a month.
If you're seeing authentication failures from unfamiliar regions or IP addresses you don't recognize during this process, those are almost certainly spoofing attempts, not configuration problems. That's exactly what you're about to stop.
Viewleaf Signal provides free DMARC monitoring. Set up a collector, add it to your DNS, and start seeing who's sending email as your domain.