Turning on p=reject: what actually happens
Three quarters of domains that publish DMARC never move past p=none. The reason is almost always the same sentence: nobody can tell me what breaks if I flip. The odd thing about that fear is that the answer already exists, in data you already have. Here is how to read it.
A policy only ever touches mail that fails alignment
The most load-bearing fact about a DMARC flip is one most people have never been told: your policy, whether it says p=none, p=quarantine, or p=reject, has no effect on mail that passes DMARC alignment. Aligned mail is delivered under any policy. Alignment is decided by SPF, DKIM, and the adkim/aspf tags, none of which change when you edit p=. So the entire question "what breaks if I flip" reduces to a smaller one: what is currently failing alignment, and whose mail is it?
Your reports already contain the answer
Every DMARC aggregate report is a receiver telling you, per source and per outcome, exactly which mail passed and which failed. That means a stricter policy can be previewed as a replay: take the last 30 days of receiver reports, and everything that failed alignment is precisely the mail a stricter policy would have acted on. No guessing, no modeling. The receivers have already voted.
When you sort that failing mail by who sent it, it falls into three families with very different meanings.
1. Unknown sources with no authentication at all
This is spoofing, and it is the reason to enforce. Under p=reject this mail would have been refused outright. On most domains sitting at p=none, this family is the overwhelming majority of failures, which means the flip costs nothing and blocks real abuse.
2. Your own senders failing authentication
A recognized service, your helpdesk, your newsletter tool, your invoicing system, sending real mail that fails SPF and DKIM. This is the family that gets broken by a flip, and it is the ONLY one. If the replay shows volume here, do not flip yet: authorize the service in SPF or turn on its custom DKIM signing first, then check again. Fixing one CNAME usually clears an entire sender.
3. Forwarded mail and mailing lists: the gray zone
Forwarding breaks SPF, and mailing lists often break DKIM, so this mail fails alignment through no fault of yours. Here a second honest fact matters: a DMARC policy is a request, not a command. Receivers routinely apply local overrides for mail they can tell was forwarded, and they say so in the reports (reason codes like forwarded and mailing_list). Some of this mail keeps flowing even at p=reject. Some does not. It is a judgment zone, which is exactly why it should be shown to you, counted, before you decide.
Watch the subdomain tag
One quiet trap: the sp= tag. If your record publishes an explicit sp=none, flipping p= to reject changes nothing for subdomain mail; it keeps flowing under the old rule. If sp= is absent, subdomains inherit the new policy automatically. Know which of the two your record does before you flip, because the same edit means different things.
Flip with a net, not a prayer
Even a well-previewed flip deserves a safety net, because the replay is history and next week's mail is not. A sane flip looks like this:
First, the change itself should be reversible: staged with a cancel window before it publishes, and an undo after. Second, the days after the flip are when the truth arrives. The same receiver reports that powered the preview now show the new policy's real dispositions, so watch them: if mail from your own recognized senders starts being quarantined or rejected, that is a regression, and the right move is to roll the policy back one step, fix the sender, and flip again. Silence is not proof either way; receiver reports lag a day or two, and a quiet weekly newsletter may take two weeks to show up.
This is the loop trustyourinbox ships as the Enforcement Preview: the 30-day replay with the three families counted, a one-click flip through a staged pipeline (a five minute cancel window, an email notice, a 24 hour undo), and a 14 day watch afterwards that compares every new receiver report against the pre-flip baseline and alerts you with a one-click rollback if your own mail regresses. Nothing fires on its own; every step is your click, with the numbers in front of you.
The short version
A DMARC flip is not a leap of faith. Aligned mail cannot be touched. Your reports already show what would have happened. If the failing mail is spoof, flip and sleep better. If any of it is yours, fix that sender first. And whichever way you go, keep the reports flowing, because they are also how you find out it worked.
Keep reading
Progressing past p=none, safely
The ladder itself: none, quarantine, reject.
DMARC alignment, in plain English
Why aligned mail cannot be touched by any policy.
Forwarders, mailing lists, and DMARC
The gray zone every flip has to make peace with.
Why email bounces or lands in spam
What to do if something does break after a flip.
Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.