DMARC at 100% Reject: The Final Step

Getting to DMARC p=reject; pct=100 is the goal of any serious DMARC rollout. At that level, mail that fails DMARC alignment for your domain gets rejected outright by receiving mail servers — meaning attackers can't successfully spoof your domain. This guide covers the validation checks before the final cut, the staged rollout I use on client domains, and what to watch in the first 30 days after reaching full enforcement.

If you're earlier in the rollout, see DMARC none to reject and the DMARC setup guide first.

The staged rollout

The full progression looks like this:

Stage	Record	Duration	Goal
1	p=none; rua=...	4-8 weeks	Discover sources
2	p=quarantine; pct=10	1-2 weeks	Sample-test
3	p=quarantine; pct=100	2-4 weeks	Confirm at full quarantine
4	p=reject; pct=10	1-2 weeks	Sample-test reject
5	p=reject; pct=50	1-2 weeks	Mid-point check
6	p=reject; pct=100	Ongoing	Full enforcement

Total elapsed time: 12-20 weeks for most organizations. Faster only if you have very few sending sources and high confidence in identification.

Pre-flight checklist before p=reject pct=100

Before tightening to full reject, validate:

1. All sending sources identified. Run aggregate reports through your parser. Every high-volume source IP should be a recognized sender you've authorized.

2. SPF aligned for every authorized source. Check that the return-path domain shares an organizational domain with your From header. See SPF multiple providers for the combining pattern.

3. DKIM signing on every authorized source. Each ESP should be signing with a key that's published in your DNS and the d= tag should align (or be the same organizational domain as) your From header.

4. No critical mail flow at p=quarantine pct=100 going to spam. If you see legitimate mail in spam at p=quarantine, that mail will be rejected at p=reject. Fix it before tightening.

5. DMARC reports stable for 14 days. No new unexpected sources appearing. No volume spikes from unknown IPs.

6. Forwarders identified. University, association, and personal mailing list forwarders break SPF by design. If they're material to your business, set up ARC-aware paths or accept the loss.

7. Subdomain policy explicit. Set sp=reject so attackers can't pivot to invented subdomains.

The actual DNS change

When ready, the final record looks like:

_dmarc.yourdomain.com.  TXT  "v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:[email protected]; aspf=r; adkim=r"

Key tags:

• p=reject — primary policy
• sp=reject — same for subdomains
• pct=100 — apply to all failing mail
• rua=mailto: — keep aggregate reports flowing for ongoing visibility
• aspf=r and adkim=r — relaxed alignment (default, but explicit)

Don't remove the rua= tag at any stage. You need ongoing visibility even after full enforcement to catch new shadow IT or attack patterns.

What to expect in the first 7 days

After moving to p=reject; pct=100:

• Spoofing attempts stop reaching inboxes. Aggregate reports continue showing the attempts; receivers reject them at gateway.
• Possible small drop in delivered mail. Any forwarded mail you didn't account for (mailing lists, etc.) will fail at receivers that strictly honor DMARC.
• Internal complaints. Someone in finance forwards a vendor invoice through a personal mailing list, it gets rejected on the way back. Track these and either fix the path or set expectations.
• DMARC reports continue. Volume usually stays similar because receivers still report on attempted sends.

Practitioner note: The first week at p=reject pct=100 is when you find the last 5% of sources you missed. Watch the rua mailbox closely. The pattern is usually a low-volume internal-only vendor that was sending invoices or surveys without proper auth, going unnoticed during monitoring.

When to use pct gradually vs jump

Two schools of thought:

Conservative: pct=10 → pct=25 → pct=50 → pct=100 over 4-8 weeks.

Confident: pct=10 for one week to sample, then pct=100.

I default to confident when:

• You have <10 sending sources, all clearly identified
• DMARC reports have been stable for 30+ days
• Spam folder rate at p=quarantine pct=100 was negligible
• You have ops capacity to roll back quickly

I default to conservative when:

• 25+ sending sources
• Mixed shadow IT environment
• Recent acquisitions or changes in IT vendor relationships
• Compliance-regulated industry where mail loss is expensive

Monitoring after enforcement

Once at p=reject; pct=100, set up:

1. Weekly aggregate report review. Look for new sources, volume changes.
2. Postmaster Tools (Gmail) and SNDS (Microsoft) for any sending IPs. Reputation should remain green.
3. Brand abuse monitoring. Tools like BrandShield, Mimecast, or even Google Alerts for "yourbrand.com" in phishing reports.
4. Internal feedback loop. Tell support that DMARC rejections might surface as "we never got your email" — they should escalate to you for investigation.

For the report-reading workflow, see reading DMARC aggregate reports.

BIMI: the reward for reaching reject

Brand Indicators for Message Identification (BIMI) requires p=quarantine or p=reject to display your logo in inboxes. Gmail, Yahoo, Apple Mail, and a growing list of clients support it. For setup details, see the BIMI setup guide.

Practitioner note: BIMI is the single best "soft selling point" for DMARC enforcement in client conversations. Marketing teams care about the logo display. They'll champion the DMARC rollout if they understand BIMI requires it. Use this if you're stuck on getting executive buy-in for the rollout.

Common reasons rollouts stall at quarantine

A surprising number of organizations make it to p=quarantine; pct=100 and then stall for months. Common reasons:

1. Fear of breaking something. Address by reviewing 4 weeks of quarantine data — if no legit mail is being quarantined, reject is safe.
2. One known broken source. A vendor that won't authenticate properly. Decide: replace, accept the breakage, or stay at quarantine.
3. Lack of ownership. Nobody owns the DMARC rollout to its conclusion. Assign one person.
4. Compliance hesitation. Sometimes regulated industries want extra validation. Document carefully and proceed.

If you're stuck at quarantine or planning the move to p=reject pct=100 and want a second pair of eyes on the pre-flight checks, book a consultation. I do DMARC rollouts from initial monitoring through full enforcement.

Sources

• RFC 7489 — DMARC — IETF
• DMARC.org deployment guide — DMARC.org
• M3AAWG DMARC deployment guide — M3AAWG
• Gmail and Yahoo bulk sender requirements — Google
• BIMI Group specification — BIMI Group

---

v1.0 · May 2026