ValidEmailChecker

How to set up DMARC with a progressive policy (none → quarantine → reject)

Last updated May 19, 2026Deliverability

The right way to roll out DMARC is in three stages, not all at once. Each stage gives you time to observe what is happening and fix anything broken before increasing enforcement. Going straight to p=reject without observation is the classic mistake that blocks legitimate sales emails, password resets, and entire marketing campaigns.

Prerequisite: SPF and DKIM working first

DMARC enforces alignment with SPF or DKIM. If neither is set up, DMARC will fail every message you send, no matter how legitimate. Set up SPF and DKIM first.

Stage 1: `p=none` (monitoring)

Duration: at least 2 weeks, ideally 4 to 6.

Publish at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100; fo=1
  • p=none is observation only. Mail delivery is unaffected.
  • rua= sets where aggregate reports get sent (daily summaries).
  • ruf= sets where forensic reports get sent (individual failed messages, optional).
  • pct=100 applies the policy to 100% of mail (matters once you progress).
  • fo=1 requests forensic reports on any failure.

Watch the daily XML reports. Look for:

  • Sources you do not recognize (potential spoofers).
  • Legitimate platforms failing alignment because their SPF or DKIM is misconfigured.
  • Mailing-list services that forward your mail and break SPF alignment.

Fix everything before moving on. The DMARC-report XML is dense. Tools like dmarcian, Postmark, or Valimail parse it into readable dashboards.

Stage 2: `p=quarantine` (failed mail to spam)

Duration: 2 to 4 weeks.

Update the record to:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100; fo=1

Now any unauthenticated mail claiming to be from your domain lands in spam folders. Watch reports for any legitimate sources still failing. Fix them by adjusting SPF, DKIM, or the alignment mode (adkim= / aspf=). Then move to the final stage.

Stage 3: `p=reject` (full enforcement)

Final state. Any unauthenticated mail claiming to be from your domain is bounced outright by receiving servers.

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100; fo=1

Once you are here, your domain has strong authentication. Spoofers cannot send as you. Your legitimate mail gets preferential treatment from Gmail, Yahoo, Microsoft, and the others. The trade-off is real, though: any legitimate sender you forgot to authenticate is now blocked. That is why the observation period in stages 1 and 2 matters.

Generator and checker

Build your record with our free DMARC record generator. Validate after publishing with the DMARC record checker.

Related questions

What is DMARC and why does Gmail now require it?
How to set up an SPF record for your domain (step by step)
How to set up DKIM authentication for your domain
How to improve email deliverability (complete checklist)
Back to all FAQs

Still stuck? Email support