The Path to DMARC Enforcement

Q: What happens when I enable p=reject?

Emails failing DMARC are rejected by receiving servers. Legitimate email with proper authentication is unaffected. Receivers like Gmail and Microsoft will refuse delivery of unauthenticated messages claiming to be from your domain.

Q: Can I roll back if something breaks?

Yes. Change your DMARC record back to p=quarantine or p=none. Changes propagate within hours (depending on TTL). This is why gradual rollout with the pct= parameter is recommended.

Q: Do I need a tool like Verkh for enforcement?

You can do it manually, but tools make it faster and safer by processing reports, identifying sources, and guiding remediation. Without a tool, you'll need to parse XML reports yourself and manually track all sending sources.

Q: What if my vendor doesn't support DKIM?

Some legacy systems don't support DKIM. You may need to route through a service that adds DKIM, or accept that sender will fail DMARC. In some cases, you can add the vendor's IPs to your SPF record as a partial workaround.

Q: How do I know I'm ready for p=reject?

Key indicators: Pass rate above 98% for 30+ days, all legitimate senders identified and authorized, no pending remediation tasks, and you've verified no legitimate email is being flagged.

Q: What is the pct= parameter?

The pct= parameter in your DMARC record lets you apply your policy to only a percentage of messages. For example, pct=10 applies your policy to 10% of messages. This allows gradual rollout to catch issues before full enforcement.

From p=none to p=reject without breaking legitimate email. Here's how.

Check Your Domain's Readiness

What is DMARC Enforcement?

DMARC enforcement means configuring your domain to reject or quarantine emails that fail authentication. While most domains start with p=none (monitoring only), true protection requires reaching p=reject.

p=none

Monitor only. Collect data about who's sending as you, but take no action on failures.

p=quarantine

Soft enforcement. Failing emails go to spam/junk folder instead of inbox.

p=reject

Full enforcement. Failing emails are rejected entirely. Maximum protection.

Why Monitoring Isn't Enough

At p=none, you're collecting data but not protecting your domain. Attackers can still send phishing emails as your domain, and receivers will deliver them. DMARC only protects your domain when you enforce it.

The Journey to Enforcement

Like climbing a mountain, DMARC enforcement happens in stages. Each step builds on the last.

Base Camp

Monitoring

p=none

Collect data about who sends as your domain. No action on failures yet.

Timeframe

2-4 weeks minimum

Goal

Identify all legitimate senders

Camp 2

Soft Enforcement

p=quarantine

Suspicious emails go to spam. Safe testing ground before the summit.

Timeframe

2-4 weeks minimum

Goal

Verify no legitimate email in spam

Summit

Full Enforcement

p=reject

Maximum protection achieved. Failing emails are rejected entirely.

Timeframe

Ongoing monitoring

Goal

Domain fully protected from spoofing

Start Your Journey

p=none

p=quarantine

p=reject

Scroll to climb

Readiness Checklist

Before moving to enforcement, ensure you've completed these items.

SPF record configured correctly

DKIM signing enabled for all senders

All legitimate sending sources identified

Timeline depends heavily on vendor responsiveness. Verkh's Apex dashboards typically accelerate vendor fixes by 40-60%.

Scenario	Typical Timeline	Key Factor
Simple domain (1-2 senders)	2-4 weeks	Quick source verification
Medium domain (5-10 senders)	4-8 weeks	Vendor coordination time
Complex domain (10+ senders)	8-12 weeks	Multiple vendor fixes needed
Enterprise (multiple domains)	12-24 weeks	Coordination across teams

Tools for Your Enforcement Journey

Use these free tools to check your current status.

Frequently asked questions

What happens when I enable p=reject?

Can I roll back if something breaks?

Do I need a tool like Verkh for enforcement?

What if my vendor doesn't support DKIM?

How do I know I'm ready for p=reject?

What is the pct= parameter?

Start Your Enforcement Journey

See where you stand and get guided remediation to reach p=reject safely.

Start Free Read the Complete Guide

The Path to DMARC Enforcement

What is DMARC Enforcement?

p=none

p=quarantine

p=reject

Why Monitoring Isn't Enough

The Journey to Enforcement

Base Camp

Camp 2

Summit

Readiness Checklist

Common Blockers & How to Fix Them

Unknown Sending Sources

Vendor Won't Fix Authentication

Fear of Breaking Legitimate Email

SPF Lookup Limit

How Long Does Enforcement Take?

Tools for Your Enforcement Journey

DMARC Checker

SPF Checker

DKIM Checker

Health Check

Frequently asked questions

Start Your Enforcement Journey