← Guides

Move to DMARC p=reject without breaking things

A reject policy protects your domain from spoofing. How to get there safely, starting from the reports.

Why aim for p=reject

With p=reject providers refuse messages that pretend to come from your domain but fail authentication. It's the strongest defense against spoofing and phishing in your name.

1. Start at p=none and read the reports

Publish v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. For a few weeks collect the aggregate reports: they show which sources send for your domain and whether they pass SPF/DKIM.

2. Fix the legitimate sources

For every service that sends legitimately (CRM, billing, newsletters) make sure it DKIM-signs with your domain and is included in SPF. Alignment is the key.

3. Raise the policy gradually

Move to p=quarantine; pct=25, increase the percentage, then p=reject. Keep monitoring the reports: if a legitimate unaligned source appears, fix it before proceeding.

No sign-up. Copy the address and send.

Generate a test address →