If your DMARC record says p=none, you have monitoring data but zero protection. Attackers can still spoof email from your domain. Here's the step-by-step path to enforcement — without accidentally blocking your own mail.
DMARC has three enforcement policies. Understanding what each one actually does — and doesn't do — is the first step to fixing yours.
[email protected] and it will land in the recipient's inbox with no warning.The good news: most domains can reach p=reject within 2–4 weeks if SPF and DKIM are already configured. The risk of "breaking email" comes from rushing — not from the process itself.
Before changing anything, you need to know exactly what you're working with. Run your domain through a free check to see your current DMARC policy, whether SPF and DKIM are aligned, and what your email security grade is.
See your current DMARC policy, SPF configuration, and DKIM selectors — plus a full A–F grade for your domain's email security.
Check your domain free → Full security score →Once you have your current status, you'll know:
p=none, p=quarantine, or p=reject)If you don't have a DMARC record at all, the fix is simpler — see our DMARC setup guide to add one from scratch. This guide focuses on domains that already have a DMARC record at p=none.
This is the most important step that most guides skip. Do not move your DMARC to p=quarantine or p=reject until your SPF and DKIM are passing correctly for all your legitimate sending services. If you enforce DMARC before your own legitimate mail is authenticated, you'll filter or reject your own emails.
For an email to pass DMARC, it must pass either:
Return-Path (envelope sender) matches your From: domain, AND the IP is in your SPF recordd= tag matches your From: domainPassing DMARC requires alignment — not just passing SPF or DKIM in isolation. A common mistake is having SPF and DKIM both "pass" individually, but failing DMARC alignment because the domains don't match.
Make a list of every service that sends email appearing to come from your domain. Common ones that get missed:
Each of these needs to either:
d=yourdomain.com (DKIM alignment)Your SPF record at yourdomain.com should include all authorized sending sources. A basic example:
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org ip4:203.0.113.10 ~allKey rules:
include: counts as one). Use an SPF flattening tool if you're close to the limit.~all (softfail) while testing, switch to -all (hardfail) once enforcedip4: or ip6: for static server IPs (these don't count toward lookup limit)Once you've confirmed your SPF and DKIM are aligned for all legitimate senders, update your DMARC record to p=quarantine. Start with a low percentage (pct=10) to apply the policy to only 10% of failing mail — this lets you catch unexpected problems before full rollout.
_dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]; fo=1"Monitor your DMARC reports for 3–7 days. If you see legitimate email being quarantined (showing up in spam), investigate immediately before increasing the percentage. Common causes:
Once the quarantine reports show no unexpected filtering, increase pct gradually: 10 → 25 → 50 → 100, over a week or two.
Once you've been at p=quarantine; pct=100 for at least a week with no unexpected issues, you're ready for p=reject. This is the only policy that actually prevents spoofing — at quarantine, spoofed emails still reach the recipient (in spam), and some users will open spam. At reject, the attack fails entirely.
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"The full parameter breakdown:
p=reject — reject emails that fail DMARC alignmentrua= — where aggregate reports go (summary of all mail sources, daily)ruf= — where forensic reports go (individual failure details, if supported)fo=1 — generate failure reports for any alignment failure (recommended for monitoring)adkim=r / aspf=r — relaxed alignment mode (default; allows subdomain matches)[email protected]), make sure those subdomains are also authenticated. You can set a separate subdomain policy with sp=quarantine or sp=reject to control subdomain treatment independently.Check your DMARC aggregate reports (rua inbox or a report processor). Look at the IP addresses that are failing. Use a reverse DNS lookup or IP geolocation tool to identify the service. If it's a legitimate service you forgot, add it. If it's an unknown sender — it might be a phishing attempt, and that's exactly what p=reject is designed to block.
Your newsletter tool is probably sending with its own domain as the envelope sender (common with Mailchimp, Brevo). Set up custom domain authentication in your email platform's settings — this configures DKIM signing with your domain. Most platforms have a guide for this. Once set up, your newsletter emails will pass DMARC via DKIM alignment.
If you're on Google Workspace, make sure include:_spf.google.com is in your SPF record. Also verify that DKIM is enabled in Google Workspace Admin → Apps → Google Workspace → Gmail → Authenticate email. Google can take up to 48 hours to start signing after enabling.
Add include:spf.protection.outlook.com to your SPF. For DKIM, go to Microsoft 365 Defender (security.microsoft.com) → Email & Collaboration → Policies → DKIM — enable signing for your domain. Like Google, it takes time to propagate.
SPF has a hard limit of 10 DNS mechanisms that require additional lookups (include:, a, mx). If you exceed this, some receivers will reject or ignore your SPF record entirely. The fix is SPF macro flattening — resolving all the includes to static IP lists. Services like dmarcian's SPF Surveyor, or EasyDMARC's SPF flattener, can help. Or remove sending services you no longer use.
Only one TXT record is allowed at _dmarc.yourdomain.com. If you have multiple, DMARC evaluation fails. Delete the extras and keep only the authoritative one. Check with: nslookup -type=TXT _dmarc.yourdomain.com
Reaching p=reject is not a one-time task. DMARC can break silently when:
include: points to an outdated recordAny of these can silently break DMARC — causing legitimate email to fail, or weakening your spoofing protection. The only way to know when this happens is continuous monitoring with alerts.
EdgeIQ Inbox Shield monitors your DMARC, SPF, and DKIM records continuously and sends you an immediate email alert when anything changes. Free to check, $9/month to monitor.
Start monitoring free → Check your grade →To summarize the complete path from p=none to p=reject:
rua= reporting if not already configured.p=quarantine; pct=10. Monitor reports for unexpected filtering. Fix any discovered authentication gaps.p=quarantine; pct=100. Confirm no legitimate mail is being filtered.p=reject. Set up continuous monitoring. Done.DMARC enforcement is one of the most effective, cheapest security controls a business can implement. The worst phishing attacks — the ones that impersonate your CEO to request wire transfers — become impossible when the attacker can't make email appear to come from your actual domain. Get to p=reject and stay there.
Practical tips, new threat intel, and product updates. No spam — unsubscribe anytime.