DMARC Rollout Playbook
A safe, step-by-step guide to rolling out DMARC from p=none to p=reject. Includes pct ramp-up schedule and monitoring at every stage.
Rolling out DMARC incorrectly can break your email delivery. This playbook walks you through each stage safely, with monitoring and validation at every step.
Why you can't just set p=reject on day one
If you publish p=reject without understanding your email ecosystem first, you'll block legitimate mail. Third-party services (marketing tools, ticketing systems, transactional email providers) may send email on your behalf with different authentication configurations. Jumping straight to reject can silently break these flows.
Stage 1: Discovery (p=none with reporting)
Start with a monitoring-only DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; aspf=r; adkim=rThis tells mailbox providers to send you aggregate reports about who is sending email as your domain and whether those messages pass or fail authentication. It doesn't affect mail delivery at all.
What to do during this stage:
- Collect reports for 2-4 weeks to build a complete picture of your sending ecosystem
- Identify all legitimate senders (your own servers, third-party services, partners)
- Fix any SPF or DKIM configuration issues that cause alignment failures
- Document which services send as your domain and ensure they're properly authenticated
Stage 2: Soft enforcement (p=quarantine with pct)
Once you've identified and fixed authentication issues, start enforcing gradually:
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com; aspf=r; adkim=rThe pct=10 means only 10% of failing messages get quarantined (sent to spam). The other 90% are still delivered normally. This gives you a safety net — if something is misconfigured, only a small percentage of mail is affected.
Ramp-up schedule:
- Week 1:
pct=10— monitor reports for new failures - Week 2:
pct=25— if no issues, increase coverage - Week 3:
pct=50— half of failing mail now quarantined - Week 4:
pct=100— full quarantine enforcement
At each step, review DMARC aggregate reports. If you see legitimate senders failing, pause and fix the authentication before continuing.
Stage 3: Full enforcement (p=reject)
After running at p=quarantine; pct=100 for at least 2 weeks with no legitimate failures:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; aspf=r; adkim=rThis is the goal state. Mailbox providers will block any email that fails DMARC alignment. This provides strong protection against domain spoofing and phishing.
Ongoing monitoring
DMARC rollout doesn't end at p=reject. Your email ecosystem changes constantly — new services get added, providers rotate DKIM keys, employees set up new sending tools. Continuous monitoring catches these changes before they break delivery:
- Review aggregate reports weekly for new failures
- Set up alerts for authentication regressions (a previously-passing sender starts failing)
- Re-verify authentication when adding new sending services
- Monitor SPF lookup count — new includes can push you over the 10-lookup limit
Common rollout mistakes
- Skipping p=none: Going straight to quarantine/reject without understanding your senders
- Ignoring reports: Publishing rua= but never looking at the reports
- Forgetting subdomain policy: If subdomains send mail, set
sp=appropriately - Not testing forwarding: Mailing lists and forwarders can break DKIM/SPF alignment
- Staying at p=none forever: Monitoring without enforcement provides no protection