Introduction
Moving from p=none to p=reject is the part of DMARC that determines whether your rollout protects your domain or bounces your invoices. The mechanics are simple — change one DNS tag — but the sequencing is everything.
This article is the playbook: the phases, the checkpoints between them, and the specific signals in your aggregate reports that say "safe to move." Done right, the transition is uneventful. Done wrong, it's a panic call from sales on day one.
Why this topic matters
The gap between monitoring and enforcement is where most DMARC rollouts stall. Teams know they should move up but lack the explicit decision criteria, so they default to "later" — and later never comes. A defined playbook removes the ambiguity: when conditions A, B, and C are met, you move.
For MSPs running multiple client rollouts, having a written playbook also turns the work into a repeatable engagement rather than a bespoke project each time.
The four phases of a safe rollout
Phase 1 — Monitoring (p=none) Phase 2 — Partial quarantine (p=quarantine pct=10→100) Phase 3 — Partial reject (p=reject pct=25→100) Phase 4 — Steady state (p=reject pct=100)
Each phase has entry criteria and exit criteria. You don't graduate by calendar; you graduate by data.
Phase 1: Monitoring
What you're doing: Reading aggregate reports, identifying every sender, fixing failing authentication.
Entry criteria: Published p=none record with rua= reporting active.
Exit criteria:
- Every sender in the report has a known business reason (legitimate or known-illegitimate).
- All legitimate senders are at ≥99% DMARC pass rate.
- No new senders appeared in the last 7 days.
- At least 14 days of report history.
Typical duration: 2-6 weeks.
Phase 2: Partial quarantine
What you're doing: Applying quarantine to a controlled percentage of failures. The pct= tag is your safety harness.
Entry criteria: All phase-1 exit criteria met.
Recipe:
- Publish
p=quarantine pct=10. Wait 7 days. - If reports show no surprises, move to
pct=25. Wait 7 days. pct=50. Wait 7 days.pct=100. Stabilize for 14 days.
Exit criteria:
- 14 consecutive days at
p=quarantine pct=100. - No new failing senders in that window.
- Pass rate maintained at ≥99%.
Typical duration: 5-6 weeks.
Phase 3: Partial reject
What you're doing: Final ramp to full enforcement. Optional pct= stagger for high-stakes domains.
Recipe (optional safety stagger):
p=reject pct=25for 7 days.p=reject pct=50for 7 days.p=reject pct=100.
For domains with clean phase-2 data, you can skip directly to p=reject pct=100.
Exit criteria:
- 14 consecutive days at
p=reject pct=100with no incidents.
Typical duration: 2-3 weeks (or 1 day if skipping the stagger).
Phase 4: Steady state
What you're doing: Monitoring for change. The protection is in place; the job is keeping it in place.
Cadence:
- Weekly: glance at the dashboard. Confirm pass rate, no new senders.
- Monthly: review any new senders or anomalies.
- Quarterly: check
sp=and other tags for business-circumstance changes.
This is the destination. It runs essentially forever.
What to watch in each phase
Three signals matter at every phase:
- Pass rate by sender. Below 99% on a known-legitimate sender is a remediation flag.
- Source IP variety. Sudden new IPs from a known sender often mean a vendor IP rotation — usually safe but worth confirming.
- New rows in the report. A new sender appearing means someone added a tool. How to handle third-party senders during DMARC projects covers the discovery pattern.
The DMARC AI platform surfaces all three as dashboard alerts; manual XML parsing requires you to look for them deliberately.
Step-by-step approach to the actual move
A concrete day-by-day for moving from p=none (with clean reports) to p=reject:
Day 0: Final pre-move audit. Confirm exit criteria for phase 1.
Day 1: Update record to p=quarantine pct=10. Validate DNS propagation.
Day 2-7: Watch reports daily. Any new rejections appear within hours.
Day 8: If clean, move to pct=25.
Day 15: pct=50.
Day 22: pct=100.
Days 22-36: Stabilize at p=quarantine pct=100. Confirm steady state.
Day 37: Move to p=reject (or p=reject pct=25 if you want the additional safety stagger).
Day 51: If staggered, pct=100. If skipped, you've been at pct=100 since day 37.
Day 65+: Steady state.
Total: ~9 weeks from start to fully enforced. Faster for clean domains; slower for complex ones.
Best practices
- Don't skip phases. The temptation to jump straight from
p=nonetop=rejectfor security-conscious teams is real. Resist it. - Update
sp=together withp=. If you setsp=quarantineinitially, move both up in sync. Otherwise subdomains lag behind the parent. - Watch reports daily during the move. Once per day for the first week of any policy change. Then weekly.
- Have a rollback plan. A 24-hour return to
p=quarantinewhile remediating a surprise is fine; long rollbacks signal the readiness check was insufficient. - Communicate internally before each move. A one-paragraph email to marketing, sales, and IT operations the day before each change.
What can go wrong (and how to catch it fast)
Three failure modes account for most rollout incidents:
- A legitimate sender wasn't fully remediated. Pass rate looks good at phase-1 exit but drops at quarantine — usually because the sender has volume variation (e.g., monthly billing runs). Fix: extend phase 1 to include the variation window.
- A forwarding service breaks DKIM. Mailing lists or older mail forwarders rewrite the From header without re-signing. The fix is sender-specific and may require a subdomain isolation strategy.
- A surprise sender appears mid-rollout. Marketing adds a tool on day 20. Caught by daily report review; fix is to authenticate the new sender, possibly with a temporary step-back to
pct=lower.
The signal that catches all three is daily report review during phase transitions. After steady state, weekly suffices.
Recommended next step
If you're starting your rollout, set the calendar. Day 0 should be on a calendar within the next two weeks. The playbook is the playbook; what determines success is having owners and dates.
If you're a DMARC platform admin, configure alerts: pass-rate drops below 99%, new sender detected, rejection volume spikes. The platform doing the watching reduces the cost of the rollout substantially.
For MSPs, this is the engagement clients pay for repeatedly — see the MSP guide to selling DMARC services for the productized version.
FAQ
Can I do this faster than 9 weeks?
Yes, for simple domains. A small domain with 3 known senders, all at 100% pass after a 2-week monitoring window, can reach p=reject in 4-5 weeks. The constraint is data confidence, not calendar.
What's the longest a rollout should take?
12 weeks for typical mid-market. Beyond that, you have a complex sender estate (likely enterprise) that warrants its own subdomain strategy.
Can I skip p=quarantine entirely?
Yes, if monitoring data is clean. The quarantine phase is a safety belt; some teams skip it for low-stakes domains. For client domains MSPs are managing, keep the quarantine phase — it's the safety story you sell.
What if pass rate drops during the rollout?
Step back one level (pct= lower or one policy weaker), remediate, re-advance. The whole point of pct= is making this reversible at small cost.
Does the rollout require downtime?
No. DMARC changes don't require service interruption. The risk is mail being rejected when it shouldn't be — the playbook is built to prevent that.
Final thoughts
The DMARC monitoring-to-enforcement playbook is one of the cleanest applications of progressive rollout in security operations. Every phase has a clear entry test, a controlled exposure mechanism (pct=), and a defined exit signal. Done by the book, the only thing missing at the end is exact-domain spoofing.
The hard part isn't the technical work — it's the discipline to follow the playbook instead of either rushing through phases or stalling at one. Both failure modes are organizational; both are fixable with named ownership and calendar dates.