Roll Out DMARC p=reject in 8 Weeks
dmarc p=reject rollout without breaking payroll, CRM, or marketing mail. Week-by-week checklist with pct= staging and aggregate report review.
Your security lead wants p=reject on the board slide for Q2. Your ops lead remembers what happened the last time someone edited DNS on a Friday without telling finance. Both are right to care. A 55-person professional services firm in Manchester tried to jump from monitor-only DMARC straight to reject in one change. Payroll notifications from a legacy HR SaaS bounced for four days. The DMARC record was technically valid. The HR tool was never in the aggregate report review because nobody had turned on rua= reporting six months earlier. A dmarc p=reject rollout is not a single TXT edit. It is an eight-week (or longer) change management project with DNS at the end. This checklist assumes you already publish SPF and DKIM for your primary mail paths. If alignment is still broken, fix that first (see the alignment troubleshooting path on your internal wiki or our DMARC policy guide) before Week 3.
Before Week 1: Preconditions
Do not start the clock until these are true
- DMARC record exists at
_dmarc.yourdomain.comwithrua=mailto:...pointing to an inbox someone reads - SPF and DKIM pass on test mail from Microsoft 365 or Google Workspace (check Authentication-Results)
- You have a list of every ESP, CRM, ticket system, and SaaS that sends as your domain
Tools you need
- DNS access (Cloudflare, GoDaddy, Route53, etc.)
- Gmail or Microsoft mailbox for test sends
- Aggregate report parser (spreadsheet, vendor tool, or manual XML review)
Week-by-Week dmarc p=reject Rollout
Weeks 1-2 (discovery on p=none): Keep monitor-only policy. Collect RUA reports daily. Build a sender table: source IP, envelope domain, SPF result, DKIM result, message count. Fix alignment on the top three legitimate sources first.
see spoofing happen. You still cannot stop it.”
v=DMARC1; p=none; rua=mailto:[email protected]; adkim=r; aspf=r; pct=100Week 3 (alignment hardening): Enable DKIM on every ESP still on SPF-only auth. Set custom return path / authenticated domain where the ESP supports it. Re-test until each stream shows dmarc=pass on a Gmail "Show original" check.
Week 4 (quarantine at 25%): Move policy to quarantine with partial enforcement:
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]; adkim=r; aspf=rWatch helpdesk for mail in junk folders. Failures in reports should be mostly unknown spoof sources, not your billing system.
Weeks 5-6 (quarantine ramp): Raise pct= to 50, then 100 over two weeks. Any legitimate failure at pct=100 means stop and fix the sender before reject.
Week 7 (quarantine soak): Hold full quarantine at pct=100 for 14 days minimum. Run a forward test (Gmail forward to personal account) if your users rely on forwarding. Document any path that still fails.
Week 8 (reject staging): Begin reject at pct=25, not 100:
v=DMARC1; p=reject; pct=25; rua=mailto:[email protected]; adkim=r; aspf=rIncrease pct= weekly until 100. Keep rua= active permanently. Enforcement without reporting is how Manchester lost visibility on the HR SaaS.
“Reject is the destination. pct= is the speed limit. Ignore the speed limit and you will crash legitimate mail.”
What Breaks During Rollout (And Fixes)
Payroll and HR SaaS
Often sends with an old SPF include you forgot, or no DKIM. Fix in vendor admin, not by reverting policy.
Marketing ESP on default bounce domain
Mailchimp, Klaviyo, HubSpot: enable domain authentication so DKIM aligns. SPF-only ESP setups fail when you enforce.
Ticket system notifications
Zendesk, Freshdesk, Intercom: each needs DKIM CNAMEs published. They are frequent "mystery fail" lines in RUA reports.
Contractor SMTP relays
Anyone still sending through smtp.oldisp.com without your DKIM will fail under reject. Migrate them to M365/GW or sign mail at the relay.
Subdomains
If support.yourdomain.com sends mail but has no _dmarc.support record, set sp=reject on the org domain only after subdomain senders are mapped.
dig TXT _dmarc.yourdomain.com +shortFrequently Asked Questions
Can we finish faster than eight weeks?
Sometimes, if you are single-ESP and single-mailbox-provider. Multi-vendor stacks should not compress quarantine soak. Auditors care that enforcement was staged, not that it was fast.
What if we need to roll back?
Drop to p=quarantine or p=none and lower pct= immediately. Keep rua= so you can see when failure volume drops. Rollback is normal during rollout, not failure.
Does p=reject help Gmail inbox placement?
Indirectly. It stops spoofing that damages domain reputation. It does not replace list hygiene or complaint rate control under 0.3% (Google bulk sender guideline, 2024).
Should sp= match p= on day one?
Yes, unless you have a documented subdomain exception. Attackers love sp=none on an otherwise strict org domain.
Key takeaways
dmarc p=reject rollout: none (weeks 1-2) → alignment fixes (week 3) → quarantine with pct= (weeks 4-7) → reject with pct= (week 8+).
Never skip aggregate report review. rua= is your rollout dashboard.
Quarantine at pct=100 for two weeks catches forward and SaaS edge cases before reject bounces them.
Legitimate mail must show dmarc=pass on every stream before you enforce. Policy does not fix alignment.
Keep reporting enabled after reject. New SaaS tools appear monthly.
Validate your current policy and tags at zerohook.org/dmarc-checker before Week 4, so quarantine does not surprise a sender you never knew existed.
Share this analysis
Help others discover this content
About the author
The ZeroHook Team breaks down DMARC alignment failures we see in production audits. Copy-paste fixes included where possible.
