Progressing past p=none safely

Why this matters

p=none is monitor-only. It tells mailbox providers to send you reports but not to take any action. That's the right starting point — but you don't get any protection until you progress to p=quarantine or p=reject.

Most domains stop at p=none permanently because progressing feels risky. It's not, if you ramp incrementally. Here's the playbook.

Are you ready?

You're ready to move past p=none if all of these are true:

• You've watched reports for at least 4 weeks (preferably 8). You know which IP ranges send mail in your name and you can name them. No more "Unknown" senders showing up.
• Alignment is consistently above 95%. If 5% of legitimate mail is failing authentication, you'll start losing real mail at p=quarantine pct=100 — fix the alignment first.
• Your transactional ESP (the one sending password resets, receipts, alerts) is properly DKIM-signed and aligned. This is the most common cause of broken DMARC enforcement; address it before you ramp.
• You know who to talk to if something breaks. You'll need to update DNS quickly if a legitimate sender starts failing — make sure you have the access.

The 4-step ramp

The progression below is conservative. You can move faster, but most small businesses without a dedicated email-deliverability person should take 4-6 weeks total.

Week 1: p=quarantine pct=10

Update your DMARC record to p=quarantine and pct=10. This tells receiving providers to send 10% of failing mail to spam. The other 90% of failing mail still gets delivered normally.

Watch reports for a week. If you don't see any new pattern of legitimate mail being spam-foldered, proceed. If you do, investigate before increasing pct.

Week 2: p=quarantine pct=50

Same policy, half of failing mail goes to spam now. Same observation period. Looking for the same thing: any sign that legitimate senders are getting caught.

Week 3: p=quarantine pct=100

All failing mail goes to spam. This is where deliverability issues with legitimate senders show up most clearly — if you're going to find a problem, it's here. Watch carefully.

Week 4 onward: p=reject

Once you've spent a week clean at p=quarantine pct=100 with no false positives, switch to p=reject. Failing mail is now bounced outright — spammers can't get their spoofs into mailboxes at all.

At this point you have full DMARC enforcement. The reports keep coming, but their job shifts: instead of helping you decide when to ramp, they're now your monitoring layer for when something breaks (a new ESP, a misconfigured server, a new attack vector).

What to do if something breaks

If a real sender starts failing during the ramp, you have three options:

1. Roll back. Drop pct or move back to p=quarantine. Reports will keep flowing but you stop enforcing while you investigate.
2. Fix the sender's authentication. Most "broken" senders aren't broken — they're just not properly aligned. Add the right DKIM signing, update SPF, or ask the vendor to send aligned signatures.
3. Whitelist via subdomain. If you can't fix the sender, move them to a subdomain (noreply.acme.com) and use sp= to publish a looser policy for subdomains.

Why we don't just auto-progress for you

We could. Auto-progression based on alignment numbers is a real V2 feature. But until you have a tested DMARC posture, the ramp is partly judgment — about whether the senders showing up in your reports are legitimate, whether your team is ready to respond if something breaks, whether the timing makes sense for a marketing send.

For now: we tell you when you look ready (the "Ready to progress beyond p=none" hint on each domain's DMARC tab), but you make the call.

Related

• What is DMARC? — the 5-minute primer.
• Setting up DMARC for the first time — if you haven't started yet.
• DMARC alignment, in plain English — fix unaligned senders before you ramp.
• Why 1024-bit DKIM keys are being phased out — strong DKIM is the easier alignment fix during ramp.