From p=none to p=reject: How-to enable DMARC enforcement in 2026
Forums show the same anxiety pattern: “I want p=reject, but I’m afraid I’ll block legit mail.” The rollout is mostly about gates: inventory done, alignment fixed, SPF lookup limit avoided, and then staged enforcement.
The scariest character in the DMARC record is p=reject.
Most domains stay stuck at p=none (monitoring only) forever because admins are terrified of blocking the CEO’s email or a critical client invoice.
This fear is healthy. But p=none provides zero protection against spoofing. To actually secure your domain, you need a plan. Even if you think that you don't, you do. Trust me.
1. The Staged Rollout Path
Never jump straight to reject. Follow this ladder:
- Phase 1:
p=none(The "Listening" Phase)
Collect data for at least 2-4 weeks. Use a monitoring tool to inventory all legitimate senders. Fix their alignment. - Phase 2:
p=quarantine pct=10(The "Toe Dip")
Tell receivers to put failing emails in Spam, but only for 10% of traffic.
Record:v=DMARC1; p=quarantine; pct=10; rua=... - Phase 3:
p=quarantine pct=100(The "Spam Folder")
Now 100% of failing mail goes to Spam. This is safe-ish because legitimate mail isn't deleted, just foldered. Monitor support tickets closely. - Phase 4:
p=reject(The "Shield Up")
After weeks of silence on the complaint front, flip the switch. Failing mail is now blocked at the gate.
2. The "Hidden" Blocker: SPF PermError
Before you enforce, check your SPF record. SPF has a hard limit of 10 DNS lookups.
If you include Google, Office 365, SendGrid, Zendesk, and Salesforce, you will likely hit 12 or 13 lookups.
The Consequence: An SPF PermError invalidates your entire SPF record. Suddenly, legitimate mail starts failing SPF. If you are at p=reject, congratulations... you just blocked your own company.
Fix: Audit and remove unused services. Avoid flattening unless it's your IPs.
3. The "Multiple Records" Trap
A surprising number of outages happen because someone added a second DMARC record (e.g., for a new tool) without removing the old one.
If DNS contains two TXT records starting with v=DMARC1, receivers will often ignore both or behave unpredictably. Always update the existing record; never add a duplicate.
4. Strict vs. Relaxed Alignment
When you enforce, stick to Relaxed alignment (the default).
- SPF:
aspf=r - DKIM:
adkim=r
Strict alignment (s) means subdomains cannot authenticate for the parent domain. Unless you have a very specific architectural reason, strict mode causes more headaches than it cures.
5. 2026: Why You Can't Wait
It used to be that DMARC was optional. In 2026, with Google and Yahoo's sender requirements, having at least p=none is mandatory for bulk senders.
But the goalpost is moving. High-security sectors and government standards (BIMI, PCI-DSS updates) are pushing for p=quarantine or p=reject. The "Wild West" of email is closing.
FAQ: Quick Answers
How long should I stay on p=none?
Until you have identified every legitimate service sending email as you. Usually 2-4 weeks covers most monthly billing cycles.
What does pct do?
The pct tag specifies the percentage of messages subjected to filtering. pct=20 with p=reject means 20% of failing messages are rejected, and 80% fall back to p=none.
What happens if SPF hits PermError?
SPF returns a "PermError" result, which counts as a fail. If DKIM also fails, DMARC will block the message.
