---
title: "DMARC enforcement best practices: Moving from ‘none’ to ‘reject’ | DuoCircle"
description: "DMARC enforcement best practices: Moving from ‘none’ to ‘reject’ It’s 2026, and email-based attacks remain one of the major concerns for organizations."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/dmarc/dmarc-enforcement-best-practices-moving-from-none-to-reject/"
---

Quick Answer

DMARC enforcement is the move from p=none (monitoring only) to p=quarantine or p=reject, where receiving servers actually act on authentication failures. At p=none, mail that fails SPF and DKIM still reaches the inbox; the domain is reported on but not protected. The phased path is: inventory every legitimate sender using DMARC RUA reports, fix SPF and DKIM alignment for each one, move to p=quarantine with a low pct tag (for example pct=25), watch for legitimate mail being filtered, then ramp pct up to 100, and finally switch to p=reject. The pct tag exists specifically to limit blast radius during the transition. Enforcement is what closes the door on spoofing; without it, the DMARC record is documentation, not protection.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc%2Fdmarc-enforcement-best-practices-moving-from-none-to-reject%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=DMARC%20enforcement%20best%20practices%3A%20Moving%20from%20%E2%80%98none%E2%80%99%20to%20%E2%80%98reject%E2%80%99&url=undefined%2Fblog%2Fdmarc%2Fdmarc-enforcement-best-practices-moving-from-none-to-reject%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc%2Fdmarc-enforcement-best-practices-moving-from-none-to-reject%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc%2Fdmarc-enforcement-best-practices-moving-from-none-to-reject%2F&title=DMARC%20enforcement%20best%20practices%3A%20Moving%20from%20%E2%80%98none%E2%80%99%20to%20%E2%80%98reject%E2%80%99 "Share on Reddit") [ ](mailto:?subject=DMARC%20enforcement%20best%20practices%3A%20Moving%20from%20%E2%80%98none%E2%80%99%20to%20%E2%80%98reject%E2%80%99&body=Check out this article: undefined%2Fblog%2Fdmarc%2Fdmarc-enforcement-best-practices-moving-from-none-to-reject%2F "Share via Email") 

![DMARC enforcement](https://media.mailhop.org/duocircle/images/2026/01/dmarc-report-6754.jpg) 

#### DMARC enforcement best practices: Moving from ‘none’ to ‘reject’

by **DuoCircle**

It’s 2026, and [email-based attacks](https://www.trendmicro.com/vinfo/us/security/news/threat-landscape/email-threat-landscape-report-evolving-threats-in-email-based-attacks) remain one of the major **concerns for organizations**. It opens the door to sophisticated attacks such as phishing, brand impersonation, and business email compromise. This means cursory checks are no longer enough. 

_What you really need are firm measures that give you control over who is allowed to send emails on your behalf and stop unauthorized messages from reaching inboxes_. This is not about adding more tools to your existing security infrastructure but fine-tuning your strategies to use [email authentication](/resources/email-authentication) more effectively. Moving DMARC from ‘monitoring’ to ‘enforcement’ is one such measure that can provide your **organization with stronger protection** against spoofing, build trust, and reduce the risk of [fraudulent messages](https://www.scworld.com/brief/fbi-us-officials-spoofed-in-ongoing-voice-sms-phishing-campaign) being delivered.

## Why is DMARC monitoring not enough?

When you first configure DMARC, it is usually done with a [DMARC policy](/resources/dmarc-policy) at “p=none” or in monitoring mode. This gives you insight into how emails are actually sent from your domain and how receiving servers handle them. _At this stage, DMARC reports help you understand which servers are sending emails on your behalf, whether those emails are passing SPF and DKIM checks, and, if not, how receiving mail servers handle those failures_. Over time, this helps you understand how email is actually being sent from your domain, especially when **multiple tools or vendors** are involved. 

[![domain for phishing ](https://media.mailhop.org/duocircle/images/2026/01/spf-record-6610.jpg)](https://media.mailhop.org/duocircle/images/2026/01/spf-record-6610.jpg)

This is only one part of the picture. While “p=none” gives you visibility, it does not do anything about unauthenticated emails and how they will be handled by the **recipient’s servers**. As long as the DMARC policy is at “p=none”, emails that fail authentication checks will still be delivered. This means attackers will still be able to misuse your domain for [phishing or impersonation](https://thehackernews.com/2026/01/microsoft-warns-misconfigured-email.html), despite taking all the seemingly right measures. _When you apply stricter DMARC policies, such as quarantine or reject, receiving mail servers start taking strict action against authentication failures_.

This way, emails that fail these checks are handled **differently from legitimate messages**. They are either filtered and sent to the [spam folder](https://cybernews.com/news/microsofts-breach-notification-emails-end-up-in-spam-folder/) or rejected altogether. This makes it much harder for anyone to misuse your domain and turns DMARC into something that actually stops fraudulent emails, not just something that reports them.

## How to transition from “p=none” to “p=quarantine” or “p=reject” seamlessly and effectively?

As your email ecosystem gets more complex with multiple sending systems, the transition from **monitoring to enforcement** mode becomes more strategic and critical. Moving too quickly to enforcement in such an environment can lead to legitimate emails being blocked or filtered. This is why it is recommended that you take a structured and phased approach. Here’s how you can transition from “p=none” to “p=quarantine” and subsequently “p=reject” in an effective manner:

[![legitimate emails ](https://media.mailhop.org/duocircle/images/2026/01/spf-record-check-6610.jpg)](https://media.mailhop.org/duocircle/images/2026/01/spf-record-check-6610.jpg)

### Understand your email ecosystem first

_The first step to effective DMARC implementation is having a clear view of your email ecosystem_. This means identifying all the servers that send emails on your behalf, such as marketing tools, **customer support systems**, transactional email services, and [third-party vendors](https://www.upguard.com/blog/third-party-vendor), etc. Once you know what systems are actively sending emails, you can start validating whether they are expected and properly configured. 

### Fix SPF and DKIM issues, if any

Before you move to a stricter DMARC policy, thoroughly review DMARC reports to identify where SPF and [DKIM](/resources/what-is-dkim) are failing and which sending systems are affected. It is important to ensure that **all legitimate sources** are passing SPF and/or DKIM, and that the domains are aligned with your DMARC policy.

[![dmarc enforcement](https://media.mailhop.org/duocircle/images/2026/01/spf-validator-7865.jpg)](https://media.mailhop.org/duocircle/images/2026/01/spf-validator-7865.jpg)

### Move to “p=quarantine” gradually

_After you are sure that SPF and DKIM issues have been properly addressed for all legitimate sending sources, you can move on to “p=quarantine” in a controlled manner_. Start by applying the policy to a small percentage of traffic using the ‘pct’ tag, giving you room to validate enforcement while keeping legitimate **email delivery stable**. If you are confident that your legitimate emails are passing through without issue, you can gradually increase the percentage until “p=quarantine” is fully applied.

[![ legitimate email delivery](https://media.mailhop.org/duocircle/images/2026/01/sender-policy-framework-6610.jpg)](https://media.mailhop.org/duocircle/images/2026/01/sender-policy-framework-6610.jpg)

### Move on to “p=reject” once you are confident with the setup

Implement “**p=reject” only after p=quarantine** has been in place for some time without causing delivery issues. At this stage, DMARC reports should show all your legitimate emails passing through and landing in recipients’ inboxes, and only unauthenticated emails should be failing SPF and [DKIM checks](/resources/dkim-checker). Now you can confidently move to p=reject, knowing that your **email environment is stable**. With this policy in place, emails that fail DMARC checks will be blocked entirely and will not reach recipients.

If you are struggling to ensure secure, seamless email delivery, chances are your **DMARC setup** is still in monitoring mode. Transitioning to enforcement enables you to respond to authentication failures, prevent unauthorized email delivery, and protect your domain from misuse. To get started with your DMARC enforcement journey, contact [DuoCircle](/) today.

## Topics

cyber securityDKIMspf 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  DMARC 6m  A guide to detecting DMARC problems using the pentesting techniques  Oct 3, 2024 ](/blog/dmarc/a-guide-to-detecting-dmarc-problems-using-the-pentesting-techniques/)[  DMARC 5m  How does DMARC make cold emailing more effective?  Jun 26, 2025 ](/blog/dmarc/how-does-dmarc-make-cold-emailing-more-effective/)[  DMARC 6m  How to safeguard your online presence with MFA and DMARC?  Apr 2, 2025 ](/blog/dmarc/how-to-safeguard-your-online-presence-with-mfa-and-dmarc/)[  DMARC 17m  SPF Record Generator: Create Accurate SPF Records for Email Authentication  Apr 1, 2025 ](/blog/dmarc/spf-record-generator-create-accurate-spf-records-for-email-authentication/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"DMARC enforcement best practices: Moving from ‘none’ to ‘reject’","description":"DMARC enforcement best practices: Moving from ‘none’ to ‘reject’ It’s 2026, and email-based attacks remain one of the major concerns for organizations.","url":"https://www.duocircle.com/blog/dmarc/dmarc-enforcement-best-practices-moving-from-none-to-reject/","datePublished":"2026-01-08T17:00:06.000Z","dateModified":"2026-01-08T17:27:46.000Z","dateCreated":"2026-01-08T17:00:06.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/dmarc-enforcement-best-practices-moving-from-none-to-reject/"},"articleSection":"dmarc","keywords":"cyber security, DKIM, spf","wordCount":806,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2026/01/dmarc-report-6754.jpg","caption":"DMARC enforcement","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"DMARC"},{"@type":"ListItem","position":3,"name":"DMARC enforcement best practices: Moving from ‘none’ to ‘reject’","item":"https://www.duocircle.com/blog/dmarc/dmarc-enforcement-best-practices-moving-from-none-to-reject/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"DMARC","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"DMARC enforcement best practices: Moving from ‘none’ to ‘reject’","item":"https://www.duocircle.com/blog/dmarc/dmarc-enforcement-best-practices-moving-from-none-to-reject/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"DMARC enforcement best practices: Moving from ‘none’ to ‘reject’","description":"DMARC enforcement best practices: Moving from ‘none’ to ‘reject’ It’s 2026, and email-based attacks remain one of the major concerns for organizations.","url":"https://www.duocircle.com/blog/dmarc/dmarc-enforcement-best-practices-moving-from-none-to-reject/","datePublished":"2026-01-08T17:00:06.000Z","dateModified":"2026-01-08T17:27:46.000Z","dateCreated":"2026-01-08T17:00:06.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/dmarc-enforcement-best-practices-moving-from-none-to-reject/"},"articleSection":"dmarc","keywords":"cyber security, DKIM, spf","wordCount":806,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2026/01/dmarc-report-6754.jpg","caption":"DMARC enforcement","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```