How to implement DMARC p=reject policy safely, especially when using ESPs like Mailchimp and GetResponse?
Matthew Whittaker
Co-founder & CTO, Suped
Published 23 Apr 2025
Updated 16 Aug 2025
6 min read
Implementing a DMARC p=reject policy is a significant step towards securing your email ecosystem and boosting your domain's credibility. It instructs receiving mail servers to outright reject emails that fail DMARC authentication, effectively stopping unauthorized use of your domain for phishing and spoofing. This strong enforcement also unlocks benefits like BIMI (Brand Indicators for Message Identification), which visually verifies your brand in the inbox.
However, transitioning to p=reject requires careful planning, especially when you send emails through third-party Email Service Providers (ESPs) like Mailchimp and GetResponse. A misstep can lead to legitimate emails being rejected, causing significant deliverability issues. The key is a gradual, data-driven approach, ensuring all your valid mail streams are properly authenticated before moving to the strongest policy.
DMARC relies on either SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) to align with your sending domain. For a DMARC record to pass, at least one of these authentication methods must pass and align with the domain in your email's From: header. While both are ideal for robustness against in-transit modifications, DKIM alignment is often the more reliable method when using ESPs.
Many ESPs, including Mailchimp, use their own domain in the email's Return-Path header. This means that while their servers are authorized to send on your behalf (and thus pass SPF checks for their domain), your domain's SPF will not align with the Return-Path domain. This breaks SPF alignment for your DMARC record. This is a common point of confusion, as the SPF record itself might be correctly configured to include the ESP, yet SPF alignment fails. If you’re seeing unexpected SPF failures in your DMARC reports, this is often the root cause.
Therefore, when SPF alignment isn't possible, DKIM becomes the critical factor for your DMARC pass. Ensure that your ESP is properly signing your emails with a DKIM signature that aligns with your domain. If your DKIM is aligned and consistently passing across all your sending sources, you are generally in a good position to move towards a stricter DMARC policy.
The phased approach to DMARC p=reject
The safest way to implement p=reject is through a phased approach. Start with a policy of p=none, which monitors your email traffic without affecting delivery. This allows you to collect DMARC reports (RUA and RUF) and identify all legitimate sending sources. Analyzing these reports will show you which mail streams are passing DMARC authentication and which are failing. Any failures from legitimate sources must be addressed, usually by configuring SPF or DKIM with the respective ESP or sending system.
Once you're confident that all your legitimate emails are consistently authenticating and aligning, transition to p=quarantine. This policy tells receiving servers to place unauthenticated emails in the recipient's spam or junk folder rather than rejecting them outright. This is a crucial intermediate step that helps catch any missed legitimate sources or configuration errors without immediately blocking important communications. Monitor DMARC reports for another two to three weeks under p=quarantine to ensure minimal, if any, legitimate emails are being flagged.
If your DMARC reports show a near 100% compliance rate for legitimate traffic under p=quarantine, you are ready to move to p=reject. This policy instructs recipients to reject unauthenticated emails entirely. For an even more cautious rollout, consider using the pct= tag (percentage). This allows you to apply the reject policy to a fraction of your emails (e.g., pct=10), gradually increasing the percentage as you confirm there are no negative impacts.
Final thoughts on DMARC enforcement
Risks of p=reject
While p=reject offers strong protection, there's always a slight risk that legitimate emails could be affected. Email forwarding can sometimes break DKIM signatures due to in-transit modifications, potentially leading to DMARC failures. Though modern email providers are getting better at handling these scenarios, some forwarded emails might still end up in spam folders or be silently discarded. This is a trade-off for the enhanced security. Your Customer Service Representatives should be aware that email delivery issues might increase slightly and be prepared to escalate "I never got the email" complaints.
Importance of DMARC reporting
Crucially, DMARC reports (RUA and RUF) are your eyes and ears. These XML reports provide valuable insights into who is sending email on behalf of your domain and whether those emails are passing or failing DMARC authentication. While tools like Google Postmaster Tools offer a useful overview, they only show what Google sees. For full visibility, you need to collect and analyze reports from a variety of mailbox providers.
Continuous monitoring and adjustments
It's vital to continually monitor these reports, even after moving to p=reject. Unexpected DMARC failures could indicate a misconfigured new sending source, DNS issues (like a record temporarily falling over), or problems with DKIM key rotation. Regular review allows you to quickly identify and fix issues before they significantly impact your deliverability or sender reputation.
For specific ESPs like Mailchimp and GetResponse, understanding their nuances is essential. Mailchimp, for instance, has a known behavior where it uses its own domain in the Return-Path. This means that while your DKIM signature (if properly set up via Mailchimp) will align, your SPF will not. Therefore, with Mailchimp, you will largely rely on DKIM for DMARC alignment to pass.
GetResponse, on the other hand, may offer options to ensure SPF alignment by allowing you to use your own domain in the Return-Path, or by having you add their SPF includes. It is advisable to consult their documentation or support directly to confirm their current DMARC configuration best practices. Always ensure that any third-party sender you use is properly authenticated with both SPF and DKIM where possible, and that they align with your organizational domain for DMARC.
Often both SPF and DKIM can align. Check documentation.
Implementing DMARC p=reject is a powerful way to protect your domain from impersonation and enhance your email deliverability. While it can feel daunting, especially with multiple sending platforms, a careful, phased approach minimizes risks. Focus on achieving solid DKIM alignment across all your ESPs, start with p=none for monitoring, then graduate to p=quarantine before moving to p=reject. Continuous monitoring of your DMARC reports is non-negotiable for ongoing success.
By following these steps, you can safely enforce a strong DMARC policy, protect your brand, and ensure your legitimate emails reach their intended recipients without being blocked or diverted to spam folders, improving your overall sender reputation and security posture.
Best practices
Start with a p=none policy to gather comprehensive DMARC reports for all email streams.
Ensure DKIM authentication is correctly set up and aligning for all sending sources, especially ESPs.
Transition to p=quarantine for several weeks, monitoring reports closely for any legitimate email failures.
Use the pct= tag to gradually increase the enforcement percentage of your p=reject policy.
Communicate potential changes in email delivery to your customer support team.
Common pitfalls
Skipping the p=none or p=quarantine stages and jumping directly to p=reject, risking legitimate email rejection.
Not accounting for SPF alignment failures caused by ESPs using their own Mail From domains.
Relying solely on Google Postmaster Tools for DMARC reports, missing data from other mailbox providers.
Underestimating the impact of email forwarding on DKIM signatures and DMARC authentication.
Failing to continuously monitor DMARC reports after implementing p=reject, missing new issues.
Expert tips
Prioritize DKIM alignment with your primary domain for ESPs, as SPF alignment may not always be feasible.
Implement a DMARC monitoring solution that aggregates reports from all major mailbox providers.
If you encounter SPF alignment issues with an ESP, focus on perfecting DKIM for DMARC pass.
Be prepared to explain to internal teams that DMARC p=reject may occasionally impact forwarded emails.
Regularly review your DMARC aggregate reports to identify new sending sources or configuration drift.
Expert view
Expert from Email Geeks says that technically, you want both SPF and DKIM to align for robust email authentication, but if DKIM is consistently aligned and passing across all sending sources, it is sufficient for DMARC. Moving to p=reject is fine if your DMARC data looks good over several weeks or months, but investigate unexpected SPF non-alignment.
2022-01-03 - Email Geeks
Expert view
Expert from Email Geeks says that a key caveat for DMARC is that DNS or other issues can prevent DKIM from validating, so ensure you allow a few days when rotating DKIM keys before deprecating old ones.
2022-01-03 - Email Geeks
Implementing DMARC p=reject is a powerful step towards a more secure and reliable email presence. By understanding how DMARC works with ESPs like Mailchimp and GetResponse, adopting a careful phased rollout, and meticulously monitoring your DMARC reports, you can confidently achieve the highest level of email authentication. This protects your brand, reduces the risk of phishing, and ultimately improves your email deliverability rates.
Mailchimp and 
GetResponse. A misstep can lead to legitimate emails being rejected, causing significant deliverability issues. The key is a gradual, data-driven approach, ensuring all your valid mail streams are properly authenticated before moving to the strongest policy.
