Advancing from p=none to p=reject takes 6-12 weeks. Spend 2-4 weeks at p=none monitoring aggregate reports. Fix all authentication gaps. Move to p=quarantine with pct=25 and gradually increase to 100%. After 2-4 clean weeks at quarantine, advance to p=reject with another gradual pct rollout. Never skip steps — each stage catches different problems.
Advancing from p=none to p=reject: The Safe Timeline
The Week-by-Week Timeline
Weeks 1-4: p=none (Monitor Only)
v=DMARC1; p=none; rua=mailto:[email protected]
Goal: Identify every service that sends email as your domain.
Review aggregate reports daily for the first week, then weekly. You're looking for:
- All authorized senders passing SPF and DKIM
- Any authorized senders failing authentication (fix these)
- Unknown senders (investigate — could be forgotten services or spoofing)
Checkpoint before advancing: Every legitimate sender passes at least one of SPF or DKIM alignment.
Weeks 5-6: p=quarantine; pct=25
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]
Goal: Test enforcement with minimal impact.
Only 25% of failing messages go to spam. Watch reports and ask your team: "Is any email missing?" If a legitimate sender surfaces that you missed, fix it now.
Week 7: p=quarantine; pct=50
v=DMARC1; p=quarantine; pct=50; rua=mailto:[email protected]
Increase enforcement. Continue monitoring.
Week 8: p=quarantine; pct=100
v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]
Checkpoint: Stay here for at least 2 weeks. All DMARC-failing messages now go to spam. If no one reports missing email and reports look clean, you're ready for reject.
Practitioner note: The quarantine stage is where 80% of the problems surface. I've discovered forgotten SaaS tools, rogue marketing platforms, and even entire departments sending email through unauthorized services. Don't rush this phase.
Week 9-10: p=reject; pct=25, then pct=50
v=DMARC1; p=reject; pct=25; rua=mailto:[email protected]
Then increase to pct=50. The difference from quarantine: rejected messages don't land in spam — they're blocked entirely. The sender gets a bounce notification.
Week 11+: p=reject (Full Enforcement)
v=DMARC1; p=reject; rua=mailto:[email protected]
Remove the pct tag or set pct=100. You're now fully protected. Unauthorized email using your domain is rejected.
Common Gotchas at Each Stage
At p=none: Not identifying all senders. Use a DMARC monitoring tool — don't try to read raw XML.
At p=quarantine: Forgetting to check with non-technical teams. Sales, marketing, and support often use tools that send email as your domain.
At p=reject: Email forwarding failures. Users who forward your domain's email to another address will see failures. This is expected and manageable — DKIM and ARC handle most cases.
Practitioner note: I tell every client: send an email to the entire company before advancing to quarantine. "Does anyone use a service that sends email as [domain]? Reply to this email." You'll be shocked what comes back.
When to Roll Back
Roll back immediately if:
- Critical business email stops arriving (invoices, customer communications)
- A major ESP you use shows authentication failures
- You discover a sender you can't quickly authenticate
Rolling back is simple: change your DMARC record to a lower policy. DNS propagation is fast — most receivers pick up the change within hours.
If you want the advancement handled by someone who's done it hundreds of times, schedule a consultation. I manage the full timeline so you don't have to guess.
Sources
- RFC 7489: Domain-based Message Authentication (DMARC)
- Google: Recommended DMARC rollout
- dmarcian: DMARC deployment guide
- M3AAWG: Best Practices for DMARC Deployment
v1.0 · April 2026
Frequently Asked Questions
How long does it take to go from p=none to p=reject?
Typically 6-12 weeks. Simple domains with one or two senders can go faster. Complex domains with many senders need the full timeline.
Can I skip p=quarantine and go straight to p=reject?
You can, but you shouldn't. Quarantine is your safety net — it sends failures to spam instead of blocking them entirely. This gives you a chance to catch issues before they become invisible rejections.
What's the biggest risk when advancing DMARC?
Forgetting a legitimate sender. The billing system, helpdesk, booking tool, or marketing platform that nobody told IT about. These only show up in aggregate reports.
What if I find a problem after moving to p=reject?
Roll back to p=quarantine or p=none immediately. Fix the authentication gap, verify in reports, then advance again. Rolling back is fast — just update the DNS record.
Do I need to advance all the way to p=reject?
For maximum protection, yes. p=quarantine still delivers spoofed email to spam folders. p=reject blocks it entirely. If you're protecting a brand from spoofing, p=reject is the goal.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.