Phisher Safe by SimpleDMARC

How to Move from p=none to p=reject in 30 Days: The SimpleDMARC Roadmap

Gaurav Maniar -

If your domain's DMARC policy is still set to p=none, you can see who's attacking you — but you can't stop them.

p=none is the monitoring stage. It's where every DMARC journey starts, and where far too many organisations stay permanently. According to the EasyDMARC 2026 DMARC Adoption Report, 68% of domains with DMARC records remain at p=none — meaning attackers can still send spoofed emails from their domain unimpeded.

The good news: moving from p=none to p=reject doesn't have to take months. With the right approach and the right tooling, it's a 30-day process. This guide gives you the exact roadmap — day by day, week by week — that SimpleDMARC customers follow to reach full enforcement safely.

Start monitoring today: Try SimpleDMARC free — no credit card required. Your DMARC aggregate reports will be parsed automatically within 24–48 hours.

Why p=none Gives You Visibility Without Protection

Think of p=none as a security camera that records everything but has no alarm. You can watch attacks happen. You can download the footage afterwards. But nothing is being blocked.

When your DMARC policy is set to p=none, receiving mail servers apply your policy — which instructs them to do nothing if authentication fails. Spoofed emails claiming to come from your domain are delivered to inboxes just as if you had no DMARC record at all.

This matters more in 2026 than ever before:

  • AI-generated phishing emails have made spoofing attacks nearly indistinguishable from legitimate mail
  • The average cost of a phishing-related breach reached $4.88 million in 2025
  • Domain spoofing is involved in over 70% of business email compromise (BEC) attempts
  • Google, Yahoo, and Microsoft all now require DMARC for bulk email senders

p=none is not a security control. It is a diagnostic tool. The moment you start receiving DMARC aggregate reports, your job is to analyse them and work towards enforcement — not sit on monitoring mode indefinitely.

What You Need Before You Start

Before you touch your DMARC policy, three things must be in place:

1. SPF record published and passing

Your SPF record tells receiving servers which IP addresses are authorised to send email for your domain. Run a free SPF check to confirm your record exists, is syntactically valid, and stays under the 10 DNS lookup limit.

2. DKIM configured for all sending services

Every service that sends email on behalf of your domain — your email platform, CRM, helpdesk, marketing automation tool — needs a valid DKIM signature. Check your DKIM setup using SimpleDMARC's free DKIM lookup tool.

3. DMARC record published at p=none with RUA reporting enabled

If you don't have a DMARC record yet, publish one now:

v=DMARC1; p=none; rua=mailto:dmarc@simpledmarc.com; ruf=mailto:dmarc@simpledmarc.com; fo=1;

The rua= address is where aggregate reports are sent. Using SimpleDMARC's reporting address means reports are parsed automatically into your dashboard — no XML files to decode manually. Wait 48 hours after publishing before collecting data.

Week 1 (Days 1–7): Audit Your Email Ecosystem

The most common reason organisations get stuck at p=none is they don't know all the services sending email as their domain. Week 1 is about building that complete picture.

Day 1–2: Connect SimpleDMARC and start receiving reports

Sign up for SimpleDMARC (free tier available) and add your domain. Your DMARC aggregate reports will start flowing into the dashboard within 24–48 hours. You'll see a list of every IP address and sending service that has sent email claiming to come from your domain.

Day 3–4: Categorise every sender

Go through the sending sources in your SimpleDMARC dashboard and tag each one as:

  • ✅ Known and authorised (your mail server, Google Workspace, Microsoft 365, Mailchimp, etc.)
  • ⚠️ Known but failing authentication (needs SPF/DKIM fix)
  • ❌ Unknown (investigate — could be a forgotten sending tool or an attacker)

Day 5–7: Fix SPF and DKIM for all authorised senders

For every legitimate sender that's failing authentication, work through the fix:

  • Add the sender's IP range or include: mechanism to your SPF record
  • Configure DKIM signing in the third-party platform
  • Verify alignment (the signing domain must match your From: header domain)

SimpleDMARC advantage: Spoofed emails arriving in your reports — attackers trying to send as you — do not count against your storage limit. You're never penalised for being a target.

Week 2 (Days 8–14): Achieve 95%+ DMARC Compliance

Before you enforce any policy, you need to be confident that legitimate mail will pass. The industry benchmark is 95% DMARC compliance on your authorised email streams before moving to p=quarantine.

Day 8–10: Fix third-party senders

Third-party senders are the number-one source of DMARC failures in practice. Work through each one:

  • Google Workspace: Enable DKIM in Admin Console → Apps → Gmail → Authenticate email
  • Microsoft 365: Configure DKIM per domain in the Defender portal
  • Mailchimp / HubSpot / Salesforce: Follow the platform's DKIM setup guide for custom domains
  • Transactional email (SendGrid, Postmark, AWS SES): Configure domain authentication in the platform settings

Day 11–12: Handle subdomains

Your DMARC policy at the root domain covers subdomains by default via the sp= tag. But check whether any subdomains send email independently — they need their own SPF and DKIM configuration.

Day 13–14: Monitor compliance percentage

Check your SimpleDMARC dashboard daily. You're looking for the DMARC compliance percentage — the proportion of your email that passes SPF or DKIM alignment. Target: 95% or above before proceeding.

Common causes of failing compliance:

  • Misconfigured DKIM selectors
  • SPF lookups exceeding the 10-lookup limit
  • Subdomain misalignment

Week 3 (Days 15–21): Move to p=quarantine with Gradual Rollout

Once you're consistently at 95%+ DMARC compliance, it's time to add enforcement. p=quarantine tells receiving servers to put failing emails in the spam folder rather than delivering them to the inbox.

Day 15: Update your DMARC record to p=quarantine at 10%

Use the pct= tag to roll out gradually — starting at 10% means only 10% of failing emails will be quarantined:

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@simpledmarc.com; fo=1;

Publish this change to your DNS and wait 48 hours for propagation.

Day 17–18: Monitor for legitimate mail being caught

Watch your SimpleDMARC dashboard carefully. Look for any known sending services suddenly appearing in the failure column. If a legitimate sender is caught, fix its authentication immediately rather than rolling back your policy.

Day 19–20: Increase pct= to 50%

If no legitimate mail has been affected, increase the rollout:

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@simpledmarc.com; fo=1;

Day 21: Full quarantine enforcement

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@simpledmarc.com; fo=1;

Continue monitoring for 3–4 days before moving to p=reject.

Week 4 (Days 22–30): Move to p=reject — Full Protection

p=reject is the goal. It instructs every receiving mail server on the internet to block emails that fail authentication entirely — they never reach the inbox, the spam folder, or anywhere else.

Day 22–25: Final compliance audit

Before moving to p=reject, confirm in your SimpleDMARC dashboard:

  • No known sending services appear in the failure list
  • DMARC compliance is consistently above 98%
  • All subdomains are accounted for

Day 26: Start p=reject rollout at 25%

v=DMARC1; p=reject; pct=25; rua=mailto:dmarc@simpledmarc.com; fo=1;

Day 28: Full enforcement

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@simpledmarc.com; fo=1;

Day 29–30: Final verification

Use SimpleDMARC's free DMARC checker to confirm your record is valid. Check that:

  • Policy shows p=reject
  • RUA reporting address is correct
  • No syntax errors are present

Your domain is now fully protected. Attackers can no longer send email that appears to come from your domain — every spoofed email will be rejected at the receiving server before it reaches your customers, partners, or employees.

What Happens to Phishing Attacks Under SimpleDMARC

Here's a detail that matters for SimpleDMARC customers specifically: spoofed phishing emails targeting your domain don't count against your storage limit.

Most DMARC monitoring platforms charge based on email volume — including attack traffic. If attackers flood your domain with thousands of spoofed emails, your monitoring costs go up. That's the volume-based pricing model used by most competitors.

SimpleDMARC works differently. We use storage-based pricing: you pay based on how much report data you store, not how many emails we process. And spoofed phishing emails — the attack traffic you have no control over — are excluded entirely from your limit.

This means you're never penalised for being a target. And with p=reject in place, those attacks are being blocked before they cause harm.

The 30-Day Checklist at a Glance

Week 1 — Audit

  • [ ] SPF record published and valid (under 10 lookups)
  • [ ] DKIM configured for all sending services
  • [ ] DMARC record published at p=none with rua= reporting
  • [ ] SimpleDMARC connected and receiving reports
  • [ ] All sending sources categorised (authorised / failing / unknown)
  • [ ] SPF and DKIM fixes applied for all authorised senders

Week 2 — Compliance

  • [ ] Third-party senders all authenticated
  • [ ] Subdomains reviewed and covered
  • [ ] DMARC compliance consistently ≥ 95%

Week 3 — Quarantine

  • [ ] Updated to p=quarantine pct=10
  • [ ] No legitimate mail caught — increased to pct=50
  • [ ] Increased to pct=100 quarantine
  • [ ] 3–4 days clean monitoring at full quarantine

Week 4 — Reject

  • [ ] Compliance confirmed at ≥ 98%
  • [ ] Updated to p=reject pct=25
  • [ ] Increased to p=reject pct=100
  • [ ] Final DMARC record verified with SimpleDMARC checker

Frequently Asked Questions

How long does it actually take to move from p=none to p=reject?

With a dedicated monitoring tool like SimpleDMARC and all your sending services already documented, 30 days is realistic. The process can take longer if you have many third-party senders to configure or a large organisation where changes require cross-team coordination. The most common delay is getting DKIM configured for third-party tools.

Will moving to p=reject break my email?

Only if there are sending services you haven't authenticated yet. This is why the gradual rollout using pct= is essential — it lets you test enforcement at small percentages before going to 100%. If you follow the roadmap and reach 95%+ DMARC compliance before touching the policy, the risk of disruption is very low.

What is the pct= tag and do I need it?

The pct= (percentage) tag tells receiving servers to apply your DMARC policy to only a percentage of failing emails. It's used for gradual rollout — starting at pct=10 and increasing to pct=100 lets you test enforcement without immediately blocking everything. It's not required in your final p=reject record, but it's a safety mechanism during the transition.

Do I need both SPF and DKIM, or just one?

DMARC passes if either SPF or DKIM passes AND aligns with the From domain. You technically only need one. However, best practice is to have both configured — SPF alone fails for forwarded email, and having DKIM as a backup ensures your legitimate mail still passes even when SPF fails due to forwarding.

What should I do about parked domains that don't send email?

Every domain you own should have a DMARC record. For non-sending domains, publish:

v=DMARC1; p=reject; rua=mailto:dmarc@simpledmarc.com;

This tells servers to reject any email from that domain since you never send from it — a critical protection since parked domains are a common attack vector.

Next Steps

Moving from p=none to p=reject is the most important email security action your organisation can take in 2026. With Google, Yahoo, and Microsoft all enforcing DMARC compliance, staying at p=none isn't just a security risk — it's a deliverability risk.

The 30-day roadmap above gives you a structured, low-risk path to full enforcement. The key is to monitor thoroughly, fix before you enforce, and roll out gradually using the pct= tag.

SimpleDMARC has been protecting domains for 5 years. Our free tier gives you everything you need to start monitoring today — DMARC aggregate report parsing, sender identification, and a free DMARC checker to verify your records at every step.

Start your free SimpleDMARC account →
No credit card required. DMARC reports start flowing within 24–48 hours.

Check your current DMARC record free →