What does the DMARC p tag actually do at each stage?
DMARC has three enforcement levels, set by the p= (policy) tag. The original specification, RFC 7489 §6.3, describes the policy tag as the “Requested Mail Receiver policy” and defines its three values. In May 2026 DMARCbis was published as a Standards-Track set of RFCs that obsolete RFC 7489: the core document is RFC 9989, with companion documents for aggregate reporting (RFC 9990) and failure reporting (RFC 9991). The three policy values are unchanged.
| Policy | What the receiver does | Role in the journey |
|---|---|---|
| p=none | No specific action requested. Failing mail is still delivered, but the receiver sends you aggregate reports. | Monitoring. You learn who sends as your domain without breaking anything. |
| p=quarantine | Mail that fails the DMARC check is treated as suspicious, typically routed to the spam or junk folder. | First enforcement step. Failures are contained, not lost. |
| p=reject | Mail that fails the DMARC check is rejected outright at the SMTP layer. | The goal. Spoofed mail never reaches the recipient. |
The p= tag is required for any policy record. If you are new to the mechanism, read what DMARC is and how it works and how SPF, DKIM and DMARC fit together before you publish anything. DMARC only passes when a message aligns through SPF or DKIM, so those two layers have to be sound first.
What DMARC record should I publish to start at p=none?
The journey begins with a monitoring record. Publish p=none with an rua= address so receivers start sending you aggregate reports. The rua= tag, defined in RFC 7489 §6.3, is a comma-separated list of addresses to which aggregate feedback is sent. Without it, you are flying blind and can never safely advance.
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:reports@your-monitor.example;"
Point rua= at an address that feeds a parser. Raw aggregate reports arrive as gzipped XML attachments, several per day per domain, and reading them by hand does not scale past a single domain. ShieldMarc gives you a verified ingestion address per domain when you add it, so the reports land already parsed in your dashboard. You can also paste a single report into the free DMARC Report Viewer to see what the XML contains before you commit to a workflow.
Note that the optional ruf= tag (message-specific failure, sometimes called forensic, reports) is also defined in RFC 7489 §6.3. It is useful where receivers support it, but the aggregate rua= stream is the one that actually drives this migration. You can generate a correct starting record with the free DMARC record generator and confirm it is live with the DMARC checker.
How do I read the aggregate reports to find my senders?
This is the part most rollouts skip, and it is the only part that matters. Aggregate reports tell you, per source IP, how much mail claimed to be from your domain, and whether it passed SPF, passed DKIM and aligned. Your job during the monitoring phase is to turn that into a complete inventory of every system that legitimately sends as your domain.
Work the report inbox until you can name every sending source. A typical inventory for a single UK organisation looks like this:
- The main mail platform (for example Microsoft 365 or Google Workspace), which usually aligns through DKIM.
- Marketing and newsletter platforms sending on a subdomain.
- Helpdesk, CRM, invoicing and recruitment tools that send transactional mail on your behalf.
- Internal application or appliance relays sending alerts and monitoring notifications.
For a walkthrough of exactly what each XML field means, see understanding DMARC aggregate reports. In ShieldMarc the report stream is grouped per sender so you can see, for each source, its SPF and DKIM pass rates as badges rather than reading raw XML. That per-sender view is what lets a small team carry the migration across many domains without drowning in attachments.
How do I tell a misconfigured sender from real spoofing?
The reports will show failures, and not all failures are equal. Some are your own legitimate senders that are simply not aligned yet. Some are forwarders. Some are genuine spoofing attempts. You cannot advance to enforcement until you can separate the three, because moving to p=reject while a real sender is still failing means that sender's mail disappears.
ShieldMarc applies threat scoring to each unfamiliar source so the report view tells you, in plain language, whether a failing IP looks like a misconfigured sender you have simply not authorised yet or a source with no plausible relationship to your domain. A cluster of failures from a known SaaS vendor's IP range with a consistent envelope-from is almost always an alignment gap you need to fix. A burst of failures from unrelated, geographically scattered consumer IPs with no DKIM signature is far more likely to be abuse. The threat feed also surfaces volume spikes from sources you previously marked as benign, so a relay that suddenly triples its traffic resurfaces for a fresh look.
A practical rule: every source you can attribute to a real business system gets fixed (authorised and aligned). Everything you cannot attribute is exactly the mail you want p=reject to block, so it is a reason to advance, not a reason to wait.
How do I authorise every legitimate sender before enforcing?
For each legitimate source the reports surfaced, you make it align. DMARC passes when a message aligns through SPF or DKIM, so you have two levers. DKIM alignment is the more durable of the two because it survives forwarding, so prefer it wherever the sending platform supports signing with your domain.
- SPF:add the sender's sending hosts or include mechanism to your SPF record so the envelope-from domain authorises that source. Watch the ten DNS-lookup limit; if you are close to it, see how to fix SPF too many DNS lookups.
- DKIM:publish the platform's DKIM selector record so it signs with your domain. Our DKIM setup by provider guide covers the common platforms.
The adkim= and aspf= alignment-mode tags control how strictly the signing or envelope-from domain must match the visible From domain. Both accept r (relaxed) and s (strict), and both default to relaxed (RFC 7489 §6.3). Leave them at the relaxed default while you are still authorising senders, because strict mode rejects an organisational subdomain match that relaxed mode would accept, and during a rollout that is one more way to break legitimate mail. To build the records correctly use the SPF, DKIM and DMARC record guide. You are ready to advance when the reports show every named sender passing alignment and the only remaining failures are sources you cannot attribute.
When is it safe to move from p=none to p=quarantine?
You advance to quarantine when the data says it is safe, not when a number of weeks have passed. The readiness gate is simple: every legitimate sender you inventoried is now passing DMARC through aligned SPF or DKIM, and you have read enough days of reports to be confident the inventory is complete (low-frequency senders such as a monthly billing run or an annual mailshot have appeared at least once).
ShieldMarc surfaces this as a readiness indicator per domain. When it is green, the parsed reports show no aligned-sender failures and the picture has been stable across recent reporting windows. That green gate, not the calendar, is the signal to change the record:
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:reports@your-monitor.example;"
Keep rua= in place. The reports do not stop being useful when you start enforcing, and you will rely on them to confirm the change did no harm.
Why not just ramp the pct tag from 10 to 100?
Several third-party guides tell you to enforce gradually by ramping the pct= tag (pct=10, then 25, then 50, then 100). ShieldMarc does not recommend pct ramping, and we want to be explicit about why.
Under the original spec the pct= tag (default 100) tells receivers what percentage of failing messages to subject to the policy. Per RFC 7489 §6.6.4 (Message Sampling), a message not selected for reject is treated as though quarantine applies, and a message not selected for quarantine gets normal local classification. So pct=50 with p=reject means roughly half of failing mail is rejected and the other half is quarantined. That is the whole problem with ramping: it is a coin flip applied to mail that is already failing. If a legitimate sender is still misaligned, pct=10 does not protect that sender, it just makes the breakage intermittent and far harder to diagnose from the reports. If every legitimate sender is aligned, you do not need a percentage at all, you are simply ready.
There is now a second, decisive reason. DMARCbis (RFC 9989, the current standard) removes the pct= tag entirely (Appendix A.6, “Removal of the pct Tag”). In its place it defines a binary t= (testing) tag with values y or n (default n). With t=y the domain owner is signalling that it is testing its policy and expects receivers to apply the level one below the stated policy (so p=reject; t=y is handled like quarantine). Any guide that still recommends ramping a percentage is writing against an obsolete tag. The report-driven gate described here was always the better practice, and it now matches the standard.
When do I advance from quarantine to reject?
Exactly the same gate, read a second time. After moving to quarantine you keep reading the reports. Quarantine is the safety net: if a sender you missed during monitoring exists, its mail now lands in junk rather than vanishing, and it shows up as a fresh aligned-sender failure in the reports. You fix it, the failure clears, and once the readiness indicator is green again and stable across recent reporting windows, you advance to reject.
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; sp=reject; adkim=r; aspf=r; rua=mailto:reports@your-monitor.example;"
This staged advance is the standard recommended progression on every authoritative source. dmarc.org describes it as publishing none to gather reports, then modifying the policy from none to quarantine to reject as you gain experience. The NCSC is equally direct: “Having a DMARC policy of reject on all of your domains is the best way to prevent spoofing of your email”, and “as soon as you are confident DKIM and SPF are continuing to work correctly, you should move to a DMARC policy of reject”. NCSC notes that many organisations move from quarantine to reject after about three months, and recommends closely monitoring reports for at least a two-week period after the change to reject. Treat that two-week watch as a floor, not a calendar countdown: the gate is still the data.
The detailed difference between the two enforcement levels, and why reject is the real goal rather than a permanent home at quarantine, is covered in DMARC quarantine vs reject.
What about subdomains when I reach p=reject?
The sp= (subdomain policy) tag controls what happens to mail from subdomains. Per RFC 7489 §6.3, if sp= is absent the policy from the p= tag is applied to subdomains. So p=reject alone already covers them. We still recommend writing sp=reject explicitly: it documents intent, it survives anyone copying the record into a tool that splits the tags, and ShieldMarc's scoring flags any record where sp= is weaker than p= as a separate control failure.
DMARCbis tightens this further. RFC 9989 adds an np= tag for non-existent subdomains (falling back to sp= and then p= when absent), and it replaces the Public Suffix List with a DNS tree walk to work out the organisational domain. The adkim= and aspf= alignment tags and the three p= values are unchanged. If you run parked or non-sending subdomains, see DMARC for parked domains for the lock-down configuration, which can go straight to reject because there is no legitimate mail to break.
Do I keep rua reporting on after I reach p=reject?
Yes, indefinitely. rua= is not scaffolding you remove once the building is up. Your sending estate changes: a new marketing platform is onboarded, a vendor rotates its sending IPs, an internal relay is rebuilt. Each of those can introduce a new unaligned source, and at p=reject that source's mail is rejected immediately. The aggregate reports are how you catch it, ideally before anyone notices the missing mail.
M3AAWG's email authentication best practices treat p=reject (or p=quarantine where reject is not yet possible) as the destination, and view p=none, sp=none and partial percentages as transitional states to be removed as quickly as possible. The reporting stream, by contrast, is permanent: it is what lets you stay at reject safely rather than drifting back into breakage. Keep an eye on the overall posture with the Security Grade check, which scores the live DMARC, SPF and DKIM records together.
How does this scale across dozens of domains at once?
The single-domain version of this journey is manageable by hand. The version a UK MSP or a multi-domain IT team actually faces, forty, eighty, two hundred domains each at a different stage, is not. That is the gap ShieldMarc is built for, and it is why the first paid tier starts at 25 domains rather than one. A tool priced for a single small business does not solve the problem we solve.
ShieldMarc keeps a per-domain readiness indicator so you can see at a glance which domains are clean enough to advance and which still have an aligned-sender failure to clear. The Professional plan (49/month billed annually, 69 month-to-month) covers 25 domains, 5 team members and 1,000,000 DMARC messages a month. The MSP plan (99/month billed annually, 129 month-to-month) covers 100 domain slots with brand-domain grouping, so the .com, .co.uk and .org variants of one brand count as a single slot, plus unlimited team members and 5,000,000 messages a month. You can add a further 50 domain slots for 39.99/month. Full numbers are on the pricing page.
If you only need to take one domain to reject and want a free evaluator, the ShieldMarc Starter tier is free for a single DMARC domain with up to 10,000 messages a month and 365-day retention. It is a freemium evaluation tier, not a multi-domain plan. For a genuinely free single-domain monitor from a third party, EasyDMARC's free plan and dmarcian's free Personal plan are both honest options. ShieldMarc's value shows once you are running the same migration across an estate.
Frequently asked questions
How long does it take to roll out DMARC for a small business?
A simple setup with one or two senders can reach p=reject in about 2 to 4 weeks, while a complex organisation with many SaaS senders typically takes 2 to 3 months. The timeline is driven by how fast your DMARC aggregate reports confirm that every legitimate sender aligns through SPF or DKIM, not by a fixed schedule. You publish p=none with rua= reporting, read the reports until every sender passes, then advance through quarantine to reject. We do not recommend ramping the pct= tag to go faster, because it samples failing mail at random and delays nothing useful (RFC 7489).
How long does it take to go from p=none to p=reject?
Expect about 2 to 4 weeks for a simple estate with one or two senders and 2 to 3 months for a complex organisation with many SaaS senders. There is no fixed schedule: the pace is set entirely by how quickly your aggregate reports confirm that every legitimate sender is aligned through SPF or DKIM. You advance none to quarantine to reject as each readiness gate clears, not by counting weeks. We do not recommend ramping the pct= tag to shorten this, because it only applies the policy to a random sample and does not protect a misaligned sender. The progression is defined in RFC 7489.
Can I go straight to p=reject?
For a normal sending domain, no: going straight to p=reject before reports confirm every legitimate sender aligns risks silently rejecting real mail. The safe path is to publish p=none with rua= reporting first, inventory every sender from the aggregate reports, align each one through SPF or DKIM, then advance through quarantine to reject once the data is clean. The exception is a parked or non-sending domain, which can go straight to p=reject because there is no legitimate mail to break (RFC 7489).
What is the safest way to roll out DMARC enforcement?
The safest rollout is report-driven: publish p=none with rua= reporting, read the aggregate reports until you can name and align every legitimate sender through SPF or DKIM, then advance p=none to p=quarantine to p=reject only when the reports show no aligned-sender failures. The data, not the calendar, is the gate at each step. We do not recommend ramping the pct= tag, because it applies the policy to a random sample of failing mail, leaves spoofing partly unblocked and delays nothing useful: an aligned estate is simply ready. This staged progression is defined in RFC 7489.
How do I know when it is safe to move to p=reject?
It is safe to move to p=reject when your aggregate reports show every legitimate sender passing DMARC through aligned SPF or DKIM and the only remaining failures are sources you cannot attribute to a real business system. Stay at quarantine long enough that even low-frequency senders such as a monthly billing run have appeared, and confirm the picture is stable across recent reporting windows before changing the record. ShieldMarc surfaces this as a per-domain readiness indicator that turns green when there are no aligned-sender failures. The readiness signal, not a fixed number of weeks, is what tells you it is safe.
What does the DMARC p tag actually do at each stage?
The p= (policy) tag has three values defined in RFC 7489 and carried unchanged into DMARCbis. p=none requests no specific action, so failing mail is delivered but you receive aggregate reports. p=quarantine asks receivers to treat failing mail as suspicious, typically routing it to junk. p=reject asks receivers to reject failing mail outright. The journey advances none to quarantine to reject as the reports prove each step is safe.
What DMARC record should I publish to start at p=none?
Publish v=DMARC1; p=none; rua=mailto:reports@your-monitor.example; at _dmarc.yourdomain. The rua= tag (RFC 7489) is a list of addresses to which aggregate feedback is sent, and without it you cannot see who sends as your domain or safely advance. Point rua= at an address that feeds a parser, because raw aggregate reports arrive as gzipped XML several times a day per domain and do not scale by hand.
How do I read the aggregate reports to find my senders?
Aggregate reports show, per source IP, how much mail claimed to be from your domain and whether it passed SPF, passed DKIM and aligned. Work the report inbox until you can name every legitimate sending source: the main mail platform, marketing and newsletter tools, transactional SaaS such as helpdesk and invoicing, and internal relays. ShieldMarc groups the stream per sender with SPF and DKIM pass-rate badges so a small team can carry this across many domains.
How do I tell a misconfigured sender from real spoofing?
Not all failures are equal: some are your own unaligned senders, some are forwarders, some are genuine spoofing. ShieldMarc applies threat scoring to each unfamiliar source so you can tell a misconfigured legitimate sender from a source with no plausible relationship to your domain. The rule: every source you can attribute to a real business system gets fixed and aligned; everything you cannot attribute is exactly the mail you want p=reject to block, so it is a reason to advance.
How do I authorise every legitimate sender before enforcing?
Make each legitimate source align through SPF or DKIM. For SPF, add the sender's hosts or include mechanism to your SPF record while watching the ten DNS-lookup limit. For DKIM, publish the platform's selector so it signs with your domain; prefer DKIM because it survives forwarding. Leave the adkim= and aspf= alignment tags at their relaxed default (r) during rollout, since strict mode (s) can break an organisational subdomain match. You are ready to advance when every named sender passes and only unattributable sources still fail.
When is it safe to move from p=none to p=quarantine?
Advance when the data, not the calendar, says so: every inventoried legitimate sender now passes DMARC through aligned SPF or DKIM, and you have read enough reporting windows that even low-frequency senders such as a monthly billing run have appeared. ShieldMarc shows this as a per-domain readiness indicator; when it is green and stable across recent windows, change the record to p=quarantine and keep rua= in place.
Why not just ramp the pct tag from 10 to 100?
ShieldMarc does not recommend pct= ramping. Under RFC 7489 section 6.6.4, pct=50 with p=reject means roughly half of failing mail is rejected and the rest quarantined, so ramping is a coin flip on already-failing mail: it does not protect a misaligned legitimate sender, it just makes the breakage intermittent and harder to diagnose. DMARCbis removes the pct= tag entirely and replaces it with a binary t= testing tag (t=y applies one level below the stated policy). Any guide that recommends ramping a percentage is writing against an obsolete tag.
When do I advance from quarantine to reject?
Use the same readiness gate a second time. Keep reading reports while at quarantine, where any sender you missed lands in junk rather than vanishing and shows up as a fresh aligned-sender failure to fix. Once the readiness indicator is green and stable again, advance to p=reject. dmarc.org and the NCSC both describe none to quarantine to reject as the progression; NCSC says move to reject once DKIM and SPF are confirmed working, notes many organisations advance after about three months at quarantine, and recommends closely monitoring reports for at least two weeks after the change. Treat that watch as a floor; the gate is still the data.
What about subdomains when I reach p=reject?
The sp= (subdomain policy) tag controls subdomain mail. Per RFC 7489 section 6.3, when sp= is absent the p= policy is applied to subdomains, so p=reject already covers them, but we recommend writing sp=reject explicitly for clarity and because ShieldMarc flags any record where sp= is weaker than p=. DMARCbis adds an np= tag for non-existent subdomains (falling back to sp= then p=) and replaces the Public Suffix List with a DNS tree walk; the adkim=, aspf= and p= values are unchanged.
Do I keep rua reporting on after I reach p=reject?
Yes, indefinitely. Your sending estate changes over time, and any new unaligned source has its mail rejected immediately at p=reject. The aggregate reports are how you catch it, ideally before anyone notices missing mail. M3AAWG treats p=reject (or quarantine where reject is not yet possible) as the destination and p=none, sp=none and partial percentages as transitional states to remove as quickly as possible, while the reporting stream stays permanent so you can hold reject safely.
How does this scale across dozens of domains at once?
ShieldMarc keeps a per-domain readiness indicator so you can see which domains are clean enough to advance and which still have an aligned-sender failure to clear. It is built and priced for UK MSPs and multi-domain IT teams, which is why the first paid tier starts at 25 domains. Professional is 49/month billed annually (69 month-to-month) for 25 domains; MSP is 99/month billed annually (129 month-to-month) for 100 brand-grouped domain slots, with 50 more slots available for 39.99/month. The free Starter tier is a single-domain evaluator; for a free third-party single-domain monitor, EasyDMARC's free plan or dmarcian's free Personal plan are honest options.
Run the enforcement journey across your whole estate
Start with a free Security Grade to see exactly where each domain sits today, then add the domains to ShieldMarc to get parsed aggregate reports, per-sender SPF and DKIM pass-rate badges, threat scoring on unfamiliar sources and a readiness indicator that tells you the moment a domain is clean enough to advance.
ShieldMarc is built and priced for UK MSPs and multi-domain IT teams, and it is purpose-built for NHS trusts and UK public sector bodies handling the post Mail Check transition. See the pricing page for plan limits, or paste a record into the DMARC checker to confirm your current policy. ShieldMarc is UK owned and EU hosted by default, with UK hosting available on request.