Moving DMARC to p=reject Safely
A staged plan to tighten your DMARC policy from none to quarantine to reject without blocking your own legitimate email.
DMARC p=reject is the goal: it tells receivers to drop any mail that fails authentication, which stops spoofing of your domain. But jump there too fast and you block your own email. Stage it.
Stage 1 — monitor (p=none)
Start at p=none with a rua address. You change nothing about delivery but begin collecting aggregate reports of who sends as your domain.
Stage 2 — find every sender
Read the reports for 2–4 weeks. List every legitimate source — your app, your ESP, support tools, invoicing — and make sure each one passes SPF and DKIM with alignment.
Send email that actually lands in the inbox
API and visual editor, SPF/DKIM/DMARC out of the box, analytics and warm IPs. Free tier — 200 emails/month, no card required.
Stage 3 — quarantine, then reject
Move to p=quarantine; pct=25, watch, then ramp the percentage to 100. Once nothing legitimate is failing, switch to p=reject. Now no one can spoof you.
Keep watching
New tools that send as your domain will fail under reject, so keep reading reports. Sendersy authenticates with alignment by default, so it never trips your DMARC. Add your domain free.
Строит инфраструктуру отправки Sendersy. Десять лет занимается доставляемостью, SPF/DKIM/DMARC и репутацией IP.
Читайте также
SPF, DKIM and DMARC: The Complete Email Authentication Setup
A step-by-step guide to configuring SPF, DKIM and DMARC records so your email passes authentication at Gmail, Outlook and Yahoo.
Email Deliverability: 12 Fixes to Land in the Inbox, Not Spam
A practical checklist to improve email deliverability — authentication, list hygiene, content, and reputation, in plain language.