DMARC has exactly one knob that matters: the policy tag. p=none, p=quarantine or p=reject — monitor, spam-folder, or block. Three words that decide what the world’s mailbox providers do with email that claims to be you and can’t prove it.

Here’s the uncomfortable industry statistic: of the roughly half of major domains that publish DMARC at all, more than half are parked at p=none — the setting that observes spoofing and does nothing about it. Only around one domain in ten reaches full p=reject. Everyone starts the ladder; most never climb it.

What each policy actually does

p=none — “tell me what’s happening, take no action.” Failing mail is delivered normally. You get aggregate reports (if you asked for them — more below). Zero protection, full visibility.
p=quarantine — “if it fails, put it in spam.” Real damage to spoofers, recoverable damage to you if you misconfigure something.
p=reject — “if it fails, refuse it at the door.” The destination. Spoofed mail using your exact domain stops being deliverable, full stop.

One nuance worth knowing: since Microsoft’s 2025 sender rules, bulk senders need at least p=none just to get into Outlook inboxes — and Google and Yahoo require the same. So p=none is no longer optional; the question is only how fast you climb from it.

Why p=none first is non-negotiable

Because the thing DMARC blocks is unaligned mail — and on day one, some of your own legitimate mail is unaligned. The CRM that sends as you. The billing tool. The newsletter platform someone connected in 2023. Jump straight to p=reject and you don’t stop attackers first, you stop yourself.

So you start at none with reporting on:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

The rua tag is the whole point of this phase. Without it, p=none is a policy that observes nothing for nobody. Build the record properly — every tag explained, policy ladder included — with our free DMARC Record Generator.

The honest climbing checklist

Move up a rung when, and only when:

You can name every source in your reports. Open a few weeks of aggregate reports (our DMARC Report Viewer turns the raw XML into a readable table) and identify every IP sending as your domain. Each one is either a tool you use, or a problem.
Your legitimate sources pass at ~98% or better. The common benchmark before tightening. The stragglers are usually a provider missing custom-domain DKIM or an SPF include you never added.
You’ve watched long enough to catch rare senders. Quarterly invoicing tools only appear in reports quarterly. Most guidance says sit on each rung for 60–90 days; the full none→reject journey commonly takes 9–18 months in larger orgs. A small, clean domain can move much faster.

Use pct= to descend gently into each policy — p=quarantine; pct=25 applies the policy to a quarter of failing mail, so a mistake stings instead of burning.

When not to move

You see legitimate sources in reports you haven’t fixed yet.
You can’t tell which sources are legitimate (that’s a reason to look harder, not to wait forever).
You don’t read the reports at all — then tightening is gambling, and the house is your own invoice email.

The part nobody tells you: this never ends

Reaching p=reject isn’t graduation. Next quarter someone connects a new tool, its mail silently fails, and you find out from a customer asking why invoices stopped arriving. The reports keep coming precisely because the monitoring problem is permanent.

Reading gzipped XML by hand forever is nobody’s plan — that’s the job Norbelys DMARC monitoring does continuously: every report parsed, every new source surfaced, drift flagged before it costs you deliveries. Start the climb with the free tools; bring the monitoring when the domain starts paying your bills.