From p=none to p=reject: A DMARC Enforcement Guide with URIports

Freddie Leeman -

Email authentication only delivers real protection once enforcement is in place. Many organizations publish DMARC with p=none and assume they are secure. They are not.

p=none is strictly a reporting mode. It asks receiving servers to send aggregate feedback, but it does not tell them to quarantine or reject messages that fail authentication. Spoofed email can still reach inboxes. Attackers can still impersonate your domain.

The objective is to reach an enforced policy of either p=quarantine or p=reject. The important part is reaching that point in a controlled and predictable way. This guide walks through that process step by step using URIports.

Step 1: Start With Proper Monitoring

After following the getting started guide and adding URIports as the domain’s rua destination, aggregate reports will begin arriving within a few days.

Confirm that reports are consistently flowing into URIports. Allow monitoring to run for several weeks so you can build a complete and representative view of your email ecosystem. This period should capture typical activity such as day to day business email, monthly invoicing systems, marketing campaigns, customer support platforms, and automated systems or devices.

At this stage, the goal is to collect intelligence about your email flows and build a representative dataset before making any policy decisions or enforcing restrictions.

Step 3: Verify DKIM Is Passing and Aligned

For DMARC to pass, at least one authentication mechanism must both pass and align with the domain in the visible From address. DMARC evaluates two mechanisms for this: SPF and DKIM.

In practice, your primary objective should be DKIM passing with alignment. DKIM is generally more reliable because it survives forwarding scenarios, does not depend on the sending IP address, and provides cryptographic integrity for the message.

Within URIports, review each legitimate sender and confirm that DKIM is passing and aligned with your domain. Use the hostname filter to help identify and review individual sending sources. If a service is sending email but signing with its own domain instead of yours, enable custom DKIM signing. Most reputable email platforms support this configuration.

The end goal is simple: every legitimate sender should consistently pass DKIM with alignment. Only after that condition is met should you consider moving to DMARC enforcement.

Step 4: Review SPF as a Supporting Mechanism

SPF still plays a useful role in DMARC validation, but it should not be the mechanism you rely on most heavily. SPF has several structural limitations as it often breaks when messages are forwarded.

When reviewing reports in URIports, verify that SPF passes and is aligned when supported by the sending service. If SPF is not aligned, your domain’s SPF record is not queried during SPF validation. As a result, adding IP addresses or include mechanisms to your SPF record will not help and may instead lead to permerrors due to excessive DNS lookups.

Step 5: Eliminate or Fix Failing Legitimate Sources

With DKIM and SPF visibility in place, the next step is to identify legitimate senders that are still failing authentication. URIports provides filtering and reporting tools that make this easier by highlighting senders that fail DKIM, sources with unusually high failure rates, and unknown IP addresses that appear repeatedly in reports.

For each legitimate sender that fails DKIM, determine the cause. The message may not be signed at all, the signature may be invalid, or the signature may not align with your domain. In most cases, the issue can be resolved by enabling DKIM signing on the platform or adjusting the configuration so the signature uses and aligns with your domain.

After making the necessary changes, continue monitoring the reports to confirm that the failures disappear. This process may take some time, as reports reflect real mail flow and improvements appear gradually.

The goal is to reach a point where nearly all legitimate traffic passes DKIM with alignment. Once that happens, the remaining failures will typically fall into very different categories such as random spoofing attempts, automated bot traffic, or clearly malicious senders. That is exactly the situation you want before moving forward.

Step 6: Confirm Stability Over Time

Before changing your DMARC policy, allow the improved configuration to run long enough to prove that it is stable. A short period of good results is not enough. You want to see consistent behavior over time.

In practice, this means observing that legitimate senders reliably pass DKIM, that traffic patterns remain predictable, and that the messages failing DMARC originate from unauthorized sources.

Trend analysis in URIports can help confirm that pass rates remain consistently high and that the overall authentication picture is stable. Enforcement decisions should always be based on sustained data rather than a temporary improvement.

Step 7: Move to an Enforced Policy

Once you are confident that legitimate traffic validates correctly, you can update your DMARC policy from monitoring mode to enforcement.

DMARC provides two enforcement levels: p=quarantine and p=reject. Quarantine signals to receiving systems that failing messages should be treated as suspicious, while reject instructs them to refuse those messages entirely.

If your monitoring data shows that legitimate senders consistently pass DKIM with alignment, p=reject is often the cleanest and most effective final configuration. It stops spoofed messages at the receiving server instead of allowing them to reach the inbox or spam folder.

Monitoring does not stop after enforcement. Reports in URIports will continue to confirm that unauthorized traffic is being handled as intended.

What Success Looks Like

A domain has reached a mature DMARC posture when authentication results become predictable and uneventful. Legitimate mail consistently passes DKIM with alignment, SPF passes where supported, and the remaining failures clearly come from unauthorized sources.

At the same time, there should be no delivery complaints from legitimate senders after enforcement is enabled. Reports will mainly show malicious traffic that is being quarantined or rejected by receiving systems.

At that stage, DMARC is no longer just providing visibility. It is actively protecting your domain from impersonation.

Final Thoughts

Moving from p=none to an enforced policy does not have to be risky when approached methodically. The process is straightforward: monitor your reports, identify all legitimate senders, ensure DKIM alignment across your ecosystem, and confirm that results remain stable over time. With the visibility provided by URIports, the transition to enforcement becomes a deliberate, data driven step rather than a leap of faith. Once your policy reaches quarantine or reject, your domain is no longer simply being observed. It is actively protected.