How-to
How to move your DMARC policy from p=none to quarantine to reject safely
A step-by-step walkthrough of the safe DMARC rollout — monitor, align your senders, then tighten enforcement — using the Policy Progression Wizard on the domain detail page.
Jump to section
Enforcing DMARC protects your domain from spoofing, but tightening the policy too early can silently send legitimate mail to spam or have it rejected. The safe path is a phased rollout: monitor first, align every legitimate sender, then ratchet enforcement up one step at a time. Blankitt DMARC's Policy Progression Wizard guides you through each stage.
The three policy stages
| Policy | What receivers do with failing mail | When to use |
|---|---|---|
p=none | Nothing — monitor only | Day one. Collect data, see who sends as you |
p=quarantine | Send to spam/junk | Once all legitimate senders are consistently aligned |
p=reject | Block outright | Full protection, once quarantine has run clean |
Remember: DMARC only acts on unaligned mail — a message that fails both aligned SPF and aligned DKIM. Passing raw SPF or DKIM is not enough; the authenticated domain must align with your From: domain.
Step 1 — Start at p=none
Publish a monitoring policy in your domain's _dmarc TXT record and point reporting at your Blankitt inbound address (find it under Settings -> inbound ingest address):
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:<your-token>@rua.blankitt.com"
At p=none nothing is blocked, so it is completely safe to publish straight away.
Step 2 — Collect reports for 1–2 weeks
Mailbox providers send aggregate reports (typically daily) and Blankitt ingests them automatically. Give it one to two weeks to capture your full sending pattern, including weekly or monthly senders such as payroll, invoicing or marketing tools.
Step 3 — Open the Policy Progression Wizard
Go to Domains, open the domain, and find the Policy Progression Wizard. It shows your readiness to advance from Monitor -> Quarantine -> Reject, each with a checklist and concrete next steps. Alongside it you will see the domain's compliance Grade (A–F) and the Compliance Scorecard (6 dimensions, 0–100).
Step 4 — Align every legitimate sender
Before tightening anything, make sure all genuine mail passes DMARC. Use the Offenders page (sending sources failing DMARC, with vendor attribution) and Fix Groups (grouped remediation suggestions) to find and fix each one — typically by adding the sender to your SPF record or enabling DKIM signing so the signing domain aligns. Do not advance while a legitimate sender is still failing.
Step 5 — Move to p=quarantine (optionally with a pct ramp)
When the wizard's Quarantine checklist is green, update the policy. You can use pct= to ramp gradually — apply the policy to a percentage of failing mail first:
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:<your-token>@rua.blankitt.com"
Monitor the dashboard, then raise pct toward 100 as you gain confidence.
Step 6 — Move to p=reject
Once quarantine has run cleanly with no legitimate mail caught, complete the final stage:
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:<your-token>@rua.blankitt.com"
Your domain is now fully protected — receivers will reject any mail that fails DMARC.
Tips
- Never skip stages. Each one surfaces senders you may have forgotten.
- Keep
rua=in place at every stage so reporting continues. - Re-check the wizard after any DNS change; the DNS Changelog records what changed and when.
- DMARC is authentication only — it does not filter spam or message content.