How to implement DMARC p=reject policy safely to avoid email deliverability issues?
Michael Ko
Co-founder & CEO, Suped
Published 3 May 2025
Updated 19 Aug 2025
6 min read
Implementing a DMARC (Domain-based Message Authentication, Reporting, and Conformance) p=reject policy is a crucial step for securing your email domain against spoofing and phishing attacks. It tells receiving mail servers to reject (block) emails that fail DMARC authentication checks and do not align with your published policy. While highly effective for security, directly moving to p=reject without proper preparation can inadvertently cause legitimate emails to be rejected, leading to significant deliverability issues.
The key is a cautious, phased approach, ensuring all legitimate email sources are properly authenticated and aligned before moving to the strictest enforcement. This guide will walk you through the steps to safely implement DMARC p=reject, minimizing the risk of impacting your email deliverability.
DMARC policies dictate how receiving mail servers should handle emails from your domain that fail authentication checks (SPF and DKIM). There are three primary policies, each offering a different level of enforcement, which are typically progressed through gradually.
The initial and safest policy is p=none, which monitors email streams without affecting delivery. This allows you to collect DMARC aggregate reports, which provide invaluable insights into who is sending email on behalf of your domain, and whether those emails are passing or failing authentication. Once you have a clear picture, you can consider moving to p=quarantine. This policy instructs receiving servers to place unauthenticated emails into the recipient's spam or junk folder, rather than outright rejecting them. It's a useful intermediate step to test the impact before full rejection.
Finally, p=reject is the strongest policy, directing receiving mail servers to outright refuse emails that fail DMARC authentication. This provides the highest level of protection against malicious use of your domain, but it requires thorough preparation to prevent legitimate mail from being blocked. You can learn more about when to use each DMARC policy here.
Policy
Action
Impact on Deliverability
Security Level
p=none
Monitor and report only.
No impact on legitimate mail delivery. Great for initial setup.
Lowest protection against spoofing. Good for visibility.
p=quarantine
Mail failing DMARC is moved to spam/junk.
Potential for legitimate mail to go to spam. Requires monitoring.
Moderate protection, deters some spoofing.
p=reject
Mail failing DMARC is rejected outright.
High risk of blocking legitimate mail if not configured correctly.
Highest protection against email spoofing and phishing.
The phased approach to p=reject
The safest way to implement DMARC p=reject is through a phased rollout. This minimizes the risk of inadvertently blocking legitimate emails. I recommend starting with p=none and closely monitoring your DMARC reports. This stage is critical for identifying all legitimate sending sources for your domain, including transactional emails, marketing platforms, and third-party services. Ensure that all these sources are properly authenticated with SPF and DKIM and achieve DMARC alignment.
Phased rollout for a secure DMARC policy
Step 1: Publish a DMARC record with p=none and aggregate report (RUA) tags.
Step 2: Monitor DMARC reports (RUA and RUF) for several weeks to identify all legitimate email sending sources.
Step 3: Ensure all legitimate email sources are properly authenticated with SPF and DKIM records, and that they achieve DMARC alignment.
Step 4: Once satisfied with authentication rates, gradually transition to p=quarantine, potentially using the pct tag for a percentage-based rollout.
Step 5: Continue monitoring reports with p=quarantine, increasing the pct value over time (e.g., 25%, 50%, 75%, 100%).
Step 6: Once satisfied with no negative impact from p=quarantine, transition to p=reject, again potentially using the pct tag.
The pct tag allows you to specify what percentage of emails failing DMARC should be subjected to the policy (quarantine or reject). This is invaluable for gradually increasing enforcement. For example, p=quarantine; pct=25 means only 25% of non-compliant emails will be quarantined, while the rest are still monitored under p=none. This granular control helps mitigate risk. You can find more information about the various DMARC tags and their meanings in our guide.
Remember to update your DMARC DNS TXT record for each policy change. This record is crucial for instructing mailbox providers how to handle your emails. A common mistake is not fully understanding DMARC, SPF, and DKIM interactions before implementing a strict policy. Microsoft provides a helpful resource on how to configure DMARC for their services, which can be a good reference.
Addressing potential challenges
One of the most common challenges when moving to p=reject is dealing with email forwarding. When an email is forwarded, its DKIM signature can sometimes break, leading to DMARC authentication failures. While some major mailbox providers, like Gmail and Yahoo, are becoming more sophisticated at handling forwarded mail without breaking DKIM, it remains a potential deliverability issue. If you're concerned about troubleshooting DMARC failures, reviewing your DMARC reports is essential.
Before p=reject
Discovery phase: Identify all sending services, including third-party email service providers (ESPs), transactional email senders, and internal systems that send mail from your domain. Many organizations don't have a complete inventory of all email sources.
Authentication Gaps: Legitimate emails may fail SPF or DKIM checks due to misconfigurations or services not yet authorized. Moving to p=reject would block these emails.
Organizational Silos: Different departments may use various email sending services, leading to a lack of centralized oversight on email authentication. A comprehensive understanding is key for preventing deliverability issues.
After p=reject
Enhanced Security: Emails failing DMARC authentication are rejected, effectively stopping malicious actors from spoofing your domain and protecting your brand reputation. This helps prevent phishing and spam.
Improved Deliverability: By ensuring all legitimate emails are properly authenticated and aligned, your overall deliverability rates improve, as mailbox providers trust your domain more. You can learn more about the benefits of DMARC.
Compliance Assurance: With comprehensive DMARC reporting, you gain visibility into all email traffic for your domain, helping ensure compliance with internal policies and external regulations, even across different departments.
Another consideration is managing transactional messages that might use auto-forwarding. If these messages fail authentication due to forwarding issues, they could be rejected. The careful, percentage-based rollout strategy helps you identify and address these edge cases before they significantly impact your users. This is also why having a clear understanding of DMARC best practices is critical.
Continuous monitoring and refinement
Publishing a DMARC policy is not a one-time setup, especially when aiming for p=reject. Continuous monitoring of your DMARC reports is essential. These reports provide invaluable data on your email ecosystem, showing which emails are passing or failing authentication, and from which IP addresses. This information allows you to identify unauthorized sending sources or legitimate sources that may still require proper authentication. Reviewing DMARC reports regularly is crucial for ongoing domain health.
Without consistent monitoring, you risk misconfigurations leading to legitimate emails being blocked or missed insights into potential threats. Even after reaching p=reject, continuous vigilance is required because new email sending services might be adopted by different departments, or existing configurations might change. This proactive approach ensures your email deliverability remains robust while maintaining a strong security posture.
Important for successful DMARC implementation
Reporting: Ensure your DMARC record includes RUA (aggregate) and RUF (forensic) email addresses to receive reports. This data is vital for understanding your email ecosystem and identifying issues. See our guide on understanding DMARC reports.
Subdomains: Consider applying DMARC policies to subdomains as well using the sp tag, especially if you have distinct sending practices for them.
Review Period: Allocate sufficient time at each phase (p=none, p=quarantine) to collect data and address any issues. This can range from weeks to months depending on your email volume and complexity.
Achieving and maintaining email deliverability
Implementing a DMARC p=reject policy is a significant step towards bolstering your email security and protecting your domain's reputation. While the ultimate goal is full enforcement, rushing the process can lead to unintended consequences, such as legitimate emails landing in spam folders or being rejected entirely. By adopting a careful, phased approach and diligently monitoring your DMARC reports, you can ensure a smooth transition and maintain excellent email deliverability.
A secure email ecosystem requires continuous attention. Even after achieving p=reject, it's crucial to regularly review your email sending practices and DMARC reports to adapt to changes and address any new issues. This proactive management will safeguard your domain and ensure your emails consistently reach their intended recipients. Remember, the goal is not just to implement a policy, but to achieve and maintain strong email deliverability.
Views from the trenches
Best practices
Always start with a DMARC policy of p=none to gather comprehensive reports on your email traffic and identify all legitimate sending sources.
Use the pct tag to gradually increase enforcement (e.g., 10%, 25%, 50%, 75%, 100%) as you transition from p=none to p=quarantine and then to p=reject.
Regularly monitor and analyze your DMARC aggregate and forensic reports to ensure proper SPF and DKIM authentication and alignment for all outgoing mail.
Verify that all third-party email service providers (ESPs) and internal systems sending email on your behalf are correctly configured for DMARC.
Common pitfalls
Moving directly to p=reject without first deploying p=none or p=quarantine, leading to legitimate emails being blocked due to unauthenticated sources.
Not thoroughly reviewing DMARC reports, which causes missed insights into authentication failures from valid email senders.
Overlooking subdomains or other unexpected email sending sources that may not be properly authenticated, leading to deliverability issues.
Neglecting to update SPF records to include all legitimate sending IPs or DKIM records for new or changed email services.
Expert tips
If your subdomains have dedicated sending purposes, like a marketing subdomain, it's safer to apply a stricter policy like p=reject directly to them.
Compliance teams should have visibility into all email sending from the domain, not just specific subdomains, to ensure full adherence to policies.
Even at p=reject, continued monitoring is essential to catch new unauthorized senders or changes in legitimate email streams that might cause failures.
If legitimate emails are being impacted, temporarily revert to p=quarantine or p=none and analyze reports to identify the root cause before re-enforcing p=reject.
Marketer view
A marketer from Email Geeks says that starting with a p=none policy and checking RUA reports for unauthenticated mail is the initial crucial step.
2017-09-21 - Email Geeks
Marketer view
A marketer from Email Geeks suggests that after p=none, the next logical step is to implement p=quarantine, potentially with a low percentage value like 25% to observe impacts.
Gmail
and Yahoo, are becoming more sophisticated at handling forwarded mail without breaking DKIM, it remains a potential deliverability issue. If you're concerned about troubleshooting DMARC failures, reviewing your DMARC reports is essential.
