Advancing from p=none to p=reject: The Safe Timeline

The Realistic Timeline

Most guides say "just publish p=reject" as if every domain has one email server and nothing else. In practice, a domain with 3-5 sending services needs at least 6 weeks to reach p=reject safely.

Here's the week-by-week plan:

Week	DMARC Record	What You're Doing
1-2	p=none; rua=mailto:...	Collecting baseline reports
3-4	p=none (still)	Fixing auth gaps, authorizing senders
5	p=quarantine; pct=25	Testing enforcement on 25% of failures
6	p=quarantine; pct=50	Expanding enforcement
7	p=quarantine; pct=100	Full quarantine — monitoring for issues
8+	p=reject	Full protection

Week 1-4: The Discovery Phase

Publish your initial record:

v=DMARC1; p=none; rua=mailto:[email protected]; pct=100

Use a DMARC report parser — don't read raw XML. You're looking for every IP that sends email using your domain. Cross-reference each one against your known sending services.

Common surprises at this stage:

• The CRM marketing team set up without telling IT
• Helpdesk or ticketing systems (Zendesk, Freshdesk)
• Billing systems sending invoices
• Form processors on your website
• Old services nobody uses anymore but still send occasionally

For each legitimate sender, ensure SPF includes their IPs and DKIM is properly configured and aligned.

Practitioner note: I've seen companies sit at p=none for 6 months because nobody owns the project. Set a calendar reminder. Two weeks of clean reports means you're ready to move — not six months of procrastination.

Week 5-7: The Quarantine Ramp

Update your record:

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]

At pct=25, only a quarter of failing messages get quarantined (sent to spam). The rest still deliver normally. Watch your reports for any legitimate senders appearing in the failure data.

Every week, increase: 25% to 50% to 100%.

Rollback plan: If a critical service starts failing, don't panic. Drop back to p=none temporarily, fix the authentication for that service, then resume at quarantine.

Practitioner note: The scariest jump is p=none to p=quarantine at pct=25 — not the final move to reject. By the time you've survived quarantine at 100%, reject is just flipping a switch. The hard work is already done.

Week 8+: Enforce p=reject

v=DMARC1; p=reject; rua=mailto:[email protected]

Your domain is now protected against spoofing. Unauthorized email using your domain gets rejected entirely. Keep monitoring reports — new services get added, employees install tools, and things change.

Don't Forget Subdomains

Set the sp= tag to control subdomain policy. If you only enforce the organizational domain, attackers can still spoof anything.yourdomain.com.

Practitioner note: About 40% of my consulting engagements start because someone rushed to p=reject and broke their transactional email. The timeline exists for a reason. If your business can't afford email disruptions, schedule a consultation and I'll manage the advancement for you.

Sources

• RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC)
• Google: DMARC Setup
• dmarcian: DMARC Policy Ramp-up
• M3AAWG: Best Practices for DMARC Deployment

---

v1.0 · April 2026