Search... ⌘ K
Get Started Contact Sales

Implementing a Gradual DMARC Policy

Table of Contents

Implementing DMARC gradually is a best practice that helps you identify and fix authentication issues before they affect email delivery. This guide covers the gradual implementation process, from monitoring to full enforcement.

Why implement DMARC gradually?

Implementing DMARC gradually helps you:

  • Identify issues early: Discover authentication problems before they affect delivery
  • Fix problems safely: Address issues without impacting legitimate email
  • Build confidence: Gradually increase enforcement as you verify everything works
  • Minimize disruption: Avoid blocking legitimate emails during implementation
  • Learn your email ecosystem: Understand all services sending email from your domain

Warning

Do not start with p=reject. Starting with a reject policy immediately can block legitimate emails if authentication is not properly configured. Always start with monitoring.

Prerequisites

Before implementing DMARC:

  1. SPF configured: SPF records must be properly configured
  2. DKIM configured: DKIM records must be properly configured (recommended)
  3. Email services identified: Know all services that send email from your domain
  4. Monitoring capability: Have ability to receive and review DMARC reports

Step 1: Start with monitoring (p=none)

The first step is to monitor your email authentication without affecting delivery.

Create initial DMARC record

Add a monitoring-only DMARC record
  1. Use the account switcher to select the appropriate account.
  2. Click on your domain name from the list.
  3. Click the tab and open the .
  4. Click and select TXT.
  5. Enter _dmarc in the field.
  6. Enter the following in the field: 
    v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

    Replace dmarc@yourdomain.com with your email address for receiving reports.

  7. Click .

Set up report collection

  1. Create report email address: Use an email address dedicated to DMARC reports (e.g., dmarc@yourdomain.com), or use an existing email address you monitor regularly.

  2. Consider report aggregation service: Services like dmarcian, Postmark, or Valimail can parse and aggregate DMARC reports, making it easier to understand report data. Optional but recommended for easier analysis.

Monitor for 2-4 weeks

During the monitoring phase:

  1. Review DMARC reports regularly:
    • Check reports weekly or bi-weekly
    • Look for authentication failures
    • Identify legitimate email sources
  2. Identify issues:
    • Note which emails are failing SPF or DKIM
    • Identify unauthorized email sources
    • Document legitimate services that need configuration
  3. Fix authentication issues:
    • Configure SPF for all legitimate email sources
    • Configure DKIM for all legitimate email sources
    • Remove or fix unauthorized email sources

Note

Most organizations monitor for 2-4 weeks, but you may need longer if you discover many issues to fix.

Step 2: Move to quarantine (p=quarantine)

Once you have fixed authentication issues and verified everything is working, move to quarantine.

Update DMARC record

Update the DMARC record to quarantine
  1. Navigate to your domain’s tab.
  2. Open the .
  3. Find the DMARC TXT record at _dmarc.
  4. Update the field to: 
    v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com

    pct=25 means only 25% of failing emails will be quarantined initially.

  5. Click .

Start with percentage enforcement

Using pct=25 (or even lower) means:

  • Only 25% of emails that fail DMARC will be quarantined
  • 75% will still be delivered (monitoring mode)
  • Helps you test the impact before full enforcement

Monitor closely

During quarantine phase:

  1. Monitor reports daily:
    • Check DMARC reports more frequently
    • Look for legitimate emails being quarantined
    • Identify any issues quickly
  2. Check spam folders:
    • Monitor spam/junk folders for legitimate emails
    • Check if legitimate emails are being quarantined
    • Fix any issues immediately
  3. Gradually increase percentage:
    • After a week with no issues, increase to pct=50
    • Then pct=75
    • Finally pct=100 (full quarantine)

Full quarantine policy

Once you are confident, move to full quarantine:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

(Removing pct=100 means 100% enforcement)

Step 3: Move to reject (p=reject)

Only move to reject after thorough testing with quarantine.

Update DMARC record

Update the DMARC record to reject
  1. Navigate to your domain’s tab.
  2. Open the .
  3. Find the DMARC TXT record at _dmarc.
  4. Update the field to: 
    v=DMARC1; p=reject; pct=25; rua=mailto:dmarc@yourdomain.com

    Start with pct=25 again for safety.

  5. Click .

Start with percentage enforcement

Again, start with a low percentage:

  • Only 25% of failing emails will be rejected
  • 75% will still be quarantined
  • Allows you to test impact before full enforcement

Monitor closely

During reject phase:

  1. Monitor very closely:
    • Check reports daily
    • Watch for any legitimate emails being rejected
    • Be ready to quickly revert if issues arise
  2. Check for bounce messages:
    • Monitor for bounce messages from legitimate senders
    • Verify no legitimate emails are being rejected
    • Fix any issues immediately
  3. Gradually increase percentage:
    • After confirming no issues, increase to pct=50
    • Then pct=75
    • Finally pct=100 (full reject)

Full reject policy

Once you are completely confident, move to full reject:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

(Removing pct=100 means 100% enforcement)

Timeline example

Here is a typical timeline for gradual DMARC implementation:

Week 1-4: Monitoring (p=none)

  • Monitor and fix authentication issues
  • Identify all legitimate email sources
  • Configure SPF and DKIM for all sources

Week 5-6: Quarantine with percentage (p=quarantine; pct=25)

  • Start with 25% quarantine
  • Monitor closely
  • Gradually increase to 100%

Week 7-8: Full quarantine (p=quarantine)

  • 100% quarantine enforcement
  • Monitor for any issues
  • Ensure everything works correctly

Week 9-10: Reject with percentage (p=reject; pct=25)

  • Start with 25% reject
  • Monitor very closely
  • Gradually increase to 100%

Week 11+: Full reject (p=reject)

  • 100% reject enforcement
  • Continue monitoring
  • Maintain configuration

Note

Your timeline may be shorter or longer depending on your email ecosystem complexity and how quickly you identify and fix issues.

Common issues and solutions

Legitimate emails being quarantined/rejected

Problem: Legitimate emails are being quarantined or rejected after moving to stricter policies.

Solutions:

  1. Check authentication: Verify SPF and DKIM are configured correctly for the sending service
  2. Check alignment: Ensure SPF or DKIM aligns with the “From” domain
  3. Temporarily lower policy: Revert to a less strict policy while fixing issues
  4. Fix configuration: Update SPF or DKIM records as needed

Unknown email sources in reports

Problem: DMARC reports show emails from unknown sources.

Solutions:

  1. Investigate source: Check if the source is legitimate
  2. Configure if legitimate: Add to SPF/DKIM if it is a legitimate service
  3. Block if unauthorized: If unauthorized, it may be spoofing (DMARC is working)

Too many failures

Problem: Reports show many authentication failures.

Solutions:

  1. Identify sources: Review reports to identify all email sources
  2. Fix configuration: Ensure all legitimate sources are authenticated
  3. Extend monitoring: Stay in monitoring mode longer if needed
  4. Fix issues before moving forward: Do not move to stricter policies until failures are resolved

Best practices

  • Always start with p=none (monitoring)
  • Use percentage enforcement (pct) when moving to stricter policies
  • Monitor reports regularly throughout the process
  • Fix all authentication issues before moving forward
  • Test thoroughly at each stage
  • Be patient - gradual implementation takes time
  • Document your email ecosystem
  • Keep monitoring even after full enforcement

Have more questions?

If you have additional questions or need any assistance with implementing a gradual DMARC policy, just contact support, and we’ll be happy to help.