Progressing past p=none safely

Why this matters

p=none is monitor-only. It tells mailbox providers to send you reports but not to take any action. That's the right starting point - but you don't get any protection until you progress to p=quarantine or p=reject.

Most domains stop at p=none permanently because progressing feels risky. It's not, if you ramp incrementally. Here's the playbook.

Are you ready?

You're ready to move past p=none if all of these are true:

• You've watched reports for at least 4 weeks (preferably 8). You know which IP ranges send mail in your name and you can name them. No more "Unknown" senders showing up.
• Alignment is consistently above 95%. If 5% of legitimate mail is failing authentication, you'll start losing real mail the moment you enforce - fix the alignment first.
• Your transactional ESP (the one sending password resets, receipts, alerts) is properly DKIM-signed and aligned. This is the most common cause of broken DMARC enforcement; address it before you ramp.
• You know who to talk to if something breaks. You'll need to update DNS quickly if a legitimate sender starts failing - make sure you have the access.

The ramp, after DMARCbis

Heads up if you've read older guides: the percentage-based ramp (pct=10 → 50 → 100) is gone. DMARCbis (RFC 9989) removed the pct tag - modern receivers ignore it and treat any pct below 100 as full enforcement. So the staged rollout is now the policy ladder (none → quarantine → reject), with the new t=y test-mode flag for a soft launch of each step.

The progression below is conservative. You can move faster, but most small businesses without a dedicated email-deliverability person should take 4-6 weeks total.

Step 1: p=quarantine; t=y (soft launch)

Move your record to p=quarantine, but add t=y. The policy is published, but test mode tells receivers to keep monitoring and not act yet - so nothing changes for your mail. You're watching the same reports, now with the quarantine policy in place and ready to go live.

Watch for a week. If no legitimate senders are failing that you didn't already know about, you're ready to actually enforce.

Step 2: p=quarantine (enforce)

Remove t=y. Now failing mail is genuinely sent to spam. This is where deliverability issues with legitimate senders show up most clearly - if you're going to find a problem, it's here. Watch carefully for a week or two.

Step 3: p=reject (full protection)

Once you've spent a clean week at p=quarantine with no false positives, switch to p=reject (optionally with t=y for a few days first, if you want one more soft-launch checkpoint). Failing mail is now bounced outright - spammers can't get their spoofs into mailboxes at all.

While you're here, add np=reject if you haven't already. It blocks spoofing of subdomains that don't exist, and it's safe to publish at any stage (unless you use wildcard DNS).

At this point you have full DMARC enforcement. The reports keep coming, but their job shifts: instead of helping you decide when to ramp, they're now your monitoring layer for when something breaks (a new ESP, a misconfigured server, a new attack vector).

What to do if something breaks

If a real sender starts failing during the ramp, you have three options:

1. Roll back. Re-add t=y (test mode), or move back down the ladder to p=quarantine or p=none. Reports keep flowing but you stop enforcing while you investigate.
2. Fix the sender's authentication. Most "broken" senders aren't broken - they're just not properly aligned. Add the right DKIM signing, update SPF, or ask the vendor to send aligned signatures.
3. Whitelist via subdomain. If you can't fix the sender, move them to a subdomain (noreply.acme.com) and use sp= to publish a looser policy for subdomains.

Why we don't just auto-progress for you

We could. Auto-progression based on alignment numbers is a real V2 feature. But until you have a tested DMARC posture, the ramp is partly judgment - about whether the senders showing up in your reports are legitimate, whether your team is ready to respond if something breaks, whether the timing makes sense for a marketing send.

For now: we tell you when you look ready (the "Ready to progress beyond p=none" hint on each domain's DMARC tab), but you make the call.