Rolling Out DMARC Safely

Deploy DMARC without breaking your email. From p=none to p=reject.

DMARC is powerful, but rushing to p=reject can block legitimate email. This guide shows you how to safely deploy DMARC with proper monitoring at each stage.

Time required: 2-4 weeks (monitoring periods)
Prerequisites: SPF and DKIM already configured

Before You Start

Make sure SPF and DKIM are working correctly. DMARC requires at least one of these to pass and align. Test your current setup at /test before proceeding.

Phase 1: Monitor Mode (Week 1-2)

Start with a policy of p=none to collect reports without affecting email delivery.

Create the DMARC Record

# DNS record
Name: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

What to Monitor

Within 24-48 hours, you'll start receiving aggregate reports. Look for:

  • Legitimate senders failing — Third-party services you forgot to configure
  • Alignment issues — SPF/DKIM passing but domain mismatch
  • Unknown senders — Could be spoofing or services you didn't know about

Let MimeProtect Parse Your Reports

Raw DMARC XML reports are hard to read. MimeProtect automatically processes your reports and shows you exactly what's passing, failing, and needs attention.

Start Free Trial

Fix Issues Before Moving On

Common fixes during this phase:

  • Add missing services to your SPF record
  • Enable DKIM for services that support it
  • Contact third parties about alignment issues

Phase 2: Gradual Quarantine (Week 3-4)

Once Phase 1 shows clean reports, start enforcing with quarantine at a low percentage.

Update the DMARC Record

# Start at 10%
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com

# After a few days, increase to 25%
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com

# Then 50%
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.com

# Then 100%
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com

What Happens

At p=quarantine, failing emails go to spam/junk folders instead of the inbox. This lets you catch problems without emails being completely blocked.

Phase 3: Full Enforcement

After clean reports at p=quarantine; pct=100, move to reject.

Final DMARC Record

# Full enforcement with strict alignment
v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:dmarc@yourdomain.com

Record Breakdown

TagValueMeaning
p=rejectrejectBlock failing emails completely
sp=rejectrejectSame policy for all subdomains
adkim=sstrictDKIM domain must exactly match From
aspf=sstrictSPF domain must exactly match From

Timeline Summary

1-2

Weeks 1-2: p=none

Monitor reports, fix authentication issues, identify all senders

3-4

Weeks 3-4: p=quarantine (10% → 100%)

Gradually enforce, monitor for complaints, fix any remaining issues

5+

Week 5+: p=reject

Full protection, continue monitoring for new services

Ongoing Maintenance

After deployment, continue to:

  • Monitor DMARC reports for new issues
  • Update SPF/DKIM when adding new email services
  • Check reports after any email infrastructure changes
  • Review alerts for authentication failures

Next Steps