How do I know everything is OK before I switch to p=quarantine or p=reject

March 27, 2025 By DMARCFlow Team

Introduction

Domain‑based Message Authentication, Reporting, and Conformance (DMARC) helps stop email spoofing and phishing. Most organisations begin with a policy of p=none to observe who is sending email from their domain. The next decision is when to advance to p=quarantine or p=reject. This article explains how to know that your configuration is ready, why monitoring and data analysis are essential, and how different platforms support the transition. DMARCFlow, a GDPR‑compliant solution hosted in the EU and developed in Germany, is mentioned as an example of a platform that makes this process easier.

Feature Breakdown

  • DMARCFlow offers cross‑domain control, AI‑powered dashboards, daily and weekly reports, and multi‑domain monitoring with role management; it stores data exclusively in the EU and adheres to GDPR requirements.
  • DMARC is a protocol that uses SPF and DKIM to verify that the sender is authorised; it lets domain owners specify a policy of none, quarantine, or reject.
  • Sender Policy Framework (SPF) lists the IP addresses that are authorised to send email for a domain; correct SPF records help prevent spoofing and must be aligned with the domain in the From header.
  • DomainKeys Identified Mail (DKIM) adds a cryptographic signature to messages; DKIM alignment ensures the signing domain matches the visible From domain.
  • DMARC aggregate (RUA) and forensic (RUF) reports allow you to see which messages pass or fail authentication; analysing these reports helps identify legitimate senders and false positives.
  • DMARCFlow translates raw XML reports into readable dashboards and sends weekly summaries; its quick setup and guided wizard help users configure SPF, DKIM, and DMARC without deep DNS knowledge.
  • Other providers such as PowerDMARC, EasyDMARC, dmarcian, Valimail, OnDMARC, and DMARC Advisor also offer DMARC monitoring and policy management with different hosting locations and feature sets.
  • Monitoring tools should support percentage‑based enforcement, allowing you to apply p=quarantine or p=reject to a fraction of messages while you build confidence.
  • Regularly updating DNS records and rotating DKIM keys reduce the risk of failures; a good platform alerts you when records are outdated.

Comparison Table

Policy What it does When to use
p=none Observes authentication results and collects reports without affecting mail delivery Initial stage; gather at least four weeks of data, map all senders, and align SPF and DKIM
p=quarantine Instructs receivers to place failing messages into spam or quarantine folders Intermediate step; use when your compliance rate is high and false positives are minimal; apply gradually with the pct tag
p=reject Asks receivers to block failing messages entirely, generating bounce notices Final stage; use when your domain has near‑complete alignment (around 98 %) and you trust that legitimate mail passes authentication

Practical Takeaways

Before changing your DMARC policy, monitor your domain with p=none for several weeks. Collect aggregate and forensic reports to understand which services send email on your behalf. Verify that every legitimate sender uses proper SPF and DKIM records, and align the signing domains with your From domain. Remove or fix unauthorised or misconfigured sources. Aim for a compliance rate close to 98 % and reduce false positives before moving to enforcement. Use the pct tag to apply p=quarantine or p=reject to a small percentage of messages, gradually increasing it as you gain confidence. Keep stakeholders informed, update DNS records when you change policies, and monitor deliverability to detect any unexpected drops. Choose a platform that provides dashboards, alerts, and weekly reports; GDPR compliance and EU data residency are important in 2025 because regulations and customer expectations emphasise data protection. DMARCFlow meets these needs by storing data within the EU and offering automated monitoring across multiple domains.

Conclusion

Switching to p=quarantine or p=reject requires careful preparation. Collect sufficient data, ensure all legitimate senders are authenticated with SPF and DKIM, and use percentage‑based enforcement to minimise disruption. Once you see consistent reports, minimal false positives, and a high compliance rate, you can confidently enforce a stricter policy. A reliable, GDPR‑compliant platform like DMARCFlow can simplify this journey with clear dashboards, weekly reports, and multi‑domain support. By following these steps, you protect your domain from spoofing while maintaining email deliverability and compliance.