A reject policy protects your domain from spoofing. How to get there safely, starting from the reports.
Why aim for p=reject
With p=reject providers refuse messages that pretend to come from your domain but fail authentication. It's the strongest defense against spoofing and phishing in your name.
1. Start at p=none and read the reports
Publish v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. For a few weeks collect the aggregate reports: they show which sources send for your domain and whether they pass SPF/DKIM.
2. Fix the legitimate sources
For every service that sends legitimately (CRM, billing, newsletters) make sure it DKIM-signs with your domain and is included in SPF. Alignment is the key.
3. Raise the policy gradually
Move to p=quarantine; pct=25, increase the percentage, then p=reject. Keep monitoring the reports: if a legitimate unaligned source appears, fix it before proceeding.
No sign-up. Copy the address and send.
Generate a test address →