DMARC Deployment Plan: p=none to p=reject in 30 Days (UK 2026)

By Andy Pickett · Managing Director

Published 5 May 2026 · About the author

Most UK SMEs we audit have DMARC published… at p=none. Stuck there for years. p=none isn’t enforcement — it’s a reporting mode that lets attackers’ spoofed messages through unchallenged. Until you reach p=quarantine or p=reject, your domain is still spoofable in real-world phishing campaigns.

The reason most rollouts stall is fear of breaking legitimate email. That fear is reasonable: tighten too fast and you can lose Mailchimp campaigns, Stripe receipts or NHS mail server alerts. This guide is a 30-day plan that has worked across hundreds of UK SME deployments — cautious enough to spot every legitimate sender, fast enough that you finish in a month, not a year. If you’d rather have us run the full deployment as part of a managed Cyber Essentials certification, that’s included in the monthly subscription from £103/month.

Why p=none isn’t finished

The DMARC standard publishes three policy values:

• p=none — receive aggregate reports about messages that fail SPF or DKIM, but deliver them anyway. Monitoring only.
• p=quarantine — failing messages get dropped to spam folders.
• p=reject — failing messages get blocked outright at the receiving server, before they reach any inbox.

Only p=reject stops phishing campaigns spoofing your domain. The 2025 IASME Requirements for IT Infrastructure v3.2 references DMARC as a recommended control, and assessor guidance increasingly pushes back on submissions stuck at p=none indefinitely. The 2025 Cyber Security Breaches Survey found that 84% of all reported breaches against UK businesses started with phishing, and properly enforced DMARC blocks the spoofing technique behind most of those campaigns at the receiving server.

The good news: if you have SPF correct, DKIM enabled and DMARC at p=none with reports flowing, you’ve already done the hard 80%. The remaining 20% is the rollout this guide walks through.

Pre-flight (day 0): get the basics right

Before starting the 30-day clock, confirm three things or the rollout will stall.

0.1 SPF is correct

SPF must exist, be valid (single record, under 10 lookups), and end in ~all or -all. Run our email security checker — if SPF shows warn or fail, fix that first. Common issues: multiple SPF records on the same domain, exceeding the 10-lookup limit, ending in ?all or +all.

0.2 DKIM signs every legitimate sender

DKIM is required for DMARC alignment to be meaningful. Every legitimate platform you send through should be signing with a valid DKIM signature. Microsoft 365 and Google Workspace make this trivial; third-party platforms like Mailchimp, HubSpot or SendGrid each need their own DKIM setup in their portal. Our M365 SPF/DKIM/DMARC guide covers the M365 side step-by-step.

0.3 You have a DMARC report parser ready

Aggregate reports are XML attachments — useless without a parser. Pick one before publishing the DMARC record:

• dmarcian — free tier covers a single domain with up to 25,000 messages/month. Best UI for SMEs.
• EasyDMARC — free tier covers 5,000 messages/month. Strong remediation playbooks.
• Postmark DMARC Digests — weekly summary email, completely free, basic but useful.
• Microsoft Sentinel / Defender — if you’re already in the Microsoft security stack, raw DMARC ingest can land in Sentinel.

Sign up for one, get the dedicated rua= mailbox address, and we’ll use that in step one.

Week 1 (days 1–7): publish DMARC at p=none

The week-one record is conservative on purpose. We’re only watching, not enforcing.

Host:   _dmarc
Type:   TXT
Value:  v=DMARC1; p=none; rua=mailto:<your parser’s rua address>; ruf=mailto:<optional ruf address>; pct=100; adkim=r; aspf=r; sp=none
TTL:    3600

Note sp=none — subdomain policy. Belt and braces: every subdomain (mail, news, marketing, etc.) inherits p=none until we decide otherwise.

Day 1–3: nothing to do

DMARC reports are generated daily but emailed in batches. The first reports usually arrive 24–48 hours after the record goes live. Don’t panic if your parser shows nothing on day 1.

Day 4–7: read your first reports

Open your parser dashboard and look at the volume + alignment columns. You’ll see something like:

• Microsoft Outlook — passing SPF and DKIM, fully aligned. Good.
• Mailchimp — passing DKIM (their key) but not aligned (signing as mcsv.net not your domain). Action: enable Mailchimp’s “Authenticate Domain” feature so DKIM signs as your domain.
• SendGrid — SPF passing, DKIM not signing at all. Action: enable DKIM in SendGrid’s “Domain Authentication” panel.
• Unknown IP — failing both SPF and DKIM. Action: identify the source. Could be a forgotten internal mail server, a hosted recruitment tool, or actually a spoofing attempt — either way, don’t move forward until you know.

Make a list of every legitimate sender that’s failing alignment. The action for each one is either: add to SPF, enable DKIM in their portal, or both.

Week 2 (days 8–14): fix every failing legitimate sender

Week 2 is the most labour-intensive week of the rollout but also the most valuable — it’s when you find every shadow-IT email tool nobody told you about.

2.1 The SPF lookup-count trap

If your SPF was already at the 10-lookup RFC 7208 limit, adding new include: directives breaks it. Two options:

1. SPF flattening. A SaaS like dmarcian, EasyDMARC or Mailhardener will dynamically resolve all your includes, flatten them to IP ranges, and serve a single include: directive that stays under the limit.
2. Macro-based includes. EasyDMARC’s “include macro” effectively does the same thing — one stable include directive at your domain that EasyDMARC keeps current.

Either approach takes about 30 minutes to set up and removes the 10-lookup limit as a constraint forever.

2.2 DKIM on third-party platforms

For each legitimate sender failing DKIM in your reports, follow the platform’s “domain authentication” or “DKIM signing” setup. The flow is broadly the same on every platform: they generate a DKIM public key, you publish it in DNS as a CNAME or TXT, the platform verifies the publication, you toggle signing on.

• Mailchimp — Account → Settings → Domains → Authenticate.
• HubSpot — Settings → Domains & URLs → Connect domain → Email sending.
• SendGrid — Settings → Sender Authentication → Domain Authentication.
• Salesforce Marketing Cloud — Setup → Sender Authentication Package.
• Brevo (Sendinblue) — Senders → Domains → Authenticate this domain.

2.3 Re-check at end of week 2

By day 14 your DMARC reports should show every legitimate sender passing alignment. If anything is still failing, do not move to week 3 until it’s fixed — tightening DMARC with broken legitimate senders means lost email.

Week 3 (days 15–21): switch to p=quarantine, ramp pct

Week 3 is where we start enforcing. Switch to p=quarantine, but only on a small percentage of mail at first — pct=10. Receiving servers will quarantine 10% of failing messages and continue to deliver the other 90% as before. This catches any remaining legitimate-sender breakage in 10% slices, without losing 100% of broken mail at once.

Day 15: set pct=10

v=DMARC1; p=quarantine; pct=10; rua=mailto:<parser>; ruf=mailto:<optional>; adkim=r; aspf=r; sp=quarantine

Day 17: set pct=50

If reports look clean (no surprise legitimate senders failing), bump to pct=50. Wait two days.

Day 19: set pct=100

Final stage of week 3. Full p=quarantine; pct=100. Every spoofed message claiming to be from your domain now lands in receivers’ spam folders.

Day 20–21: monitor

Watch the reports closely for any spike in failing volume. If a marketing campaign launches in this window from a sender you didn’t fix in week 2, this is when it’ll show up.

Week 4 (days 22–30): switch to p=reject

The home stretch. p=reject is the goal — spoofed messages don’t even reach the spam folder; they’re blocked at the receiving SMTP server.

Day 22: set pct=10 on reject

v=DMARC1; p=reject; pct=10; rua=mailto:<parser>; ruf=mailto:<optional>; adkim=r; aspf=r; sp=reject

The remaining 90% stays at p=quarantine by default. If reports stay clean, bump pct over the next week.

Day 25: set pct=50

Day 28: set pct=100

Final record. Full enforcement.

v=DMARC1; p=reject; pct=100; rua=mailto:<parser>; ruf=mailto:<optional>; adkim=r; aspf=r; sp=reject

Day 30: verify

Run our email security checker. You should see “DMARC at p=reject; pct=100 — strongest policy” and a substantial jump in your overall score. Email a test message from any spoofing-test service (one example: try the free test at MX Toolbox or a similar tool) and confirm it’s blocked at the receiving server, not just folded into spam.

Common DMARC rollout mistakes

The same five issues account for most failed or stalled rollouts:

• Stuck at p=none indefinitely. The whole point of DMARC is enforcement; monitoring forever isn’t safer, it’s just incomplete. Set a calendar reminder when you publish p=none — if you’ve been at p=none for more than 60 days, something is wrong with the rollout, not the technology.
• Missing the marketing team’s shadow ESPs. The classic deliverability incident: marketing has been sending through Mailchimp for two years, IT only noticed Outlook. Always read DMARC reports for the full week 1–2 window, ask marketing what tools they use, and check the company expense reports for “Mailchimp”, “HubSpot”, “Brevo”, etc.
• Subdomain policy missed. If you have p=reject on the apex but no sp= tag, subdomains default to inheriting the apex policy — which is what you want. But if a subdomain has its own DMARC record at _dmarc.subdomain.yourdomain.co.uk, that overrides the apex. Audit every subdomain DMARC before tightening.
• Bookings, surveys and recruitment tools. Tools that “send on your behalf” (Calendly meeting confirmations, Typeform survey emails, Workable recruitment notifications) are the most-forgotten senders. They almost always need both an SPF include and DKIM signing.
• Treating ~all + p=quarantine as enough. SPF soft-fail with DMARC quarantine is genuinely an improvement over nothing, but you’re not at the goal until you’re at SPF -all and DMARC p=reject. Don’t stop early.

What if reports stay quiet?

Sometimes — particularly for very small businesses with low outbound volume — week 1 and 2 reports show very little data. You may only get reports from Google, Microsoft and Yahoo, totalling a few hundred messages a day. That’s fine, and the rollout still works — the relevant question isn’t “how much volume?” but “are all the senders I see passing alignment?”.

However: if your reports are completely empty after 7 days, the most likely cause is the rua= address pointing at the wrong place. Verify by sending a manual test — most parsers offer a “send test report” feature. If that doesn’t reach the parser, fix the address before doing anything else.

How Connection Technologies handles DMARC rollout

For our managed Cyber Essentials customers, the full DMARC rollout from p=none through p=reject is included in the monthly subscription. We host the DMARC report ingest, watch for legitimate-sender failures during the rollout, fix them in the third-party platforms ourselves, and tighten the policy on a weekly cadence. Total customer involvement: about 30 minutes for the kick-off call and signing off the final p=reject change. Everything else happens in the background.

If you’d rather just verify your domain before booking a quote, run the email security checker — it’ll tell you exactly where your DMARC policy is today and what the next step should be.

Related reading

DMARC enforcement sits inside a wider email-security stack — these companion guides cover what we deliberately kept out of this article so the rollout plan stayed tight:

• The exact DNS records and Microsoft Defender screens for the M365-specific stack that this rollout assumes you’ve published: SPF, DKIM & DMARC for Microsoft 365.
• The threat DMARC enforcement actually defends against: Business Email Compromise in UK firms 2026 — the five BEC patterns and the layered controls that stop them.
• What changes when attackers add AI: our UK deepfake phishing guide covers the parts of the threat model DMARC doesn’t solve.
• For UK firms benchmarking the full annual cost of getting email security right, see UK cyber security costs 2026.
• For a comparison of UK providers running this rollout as a managed service, our best UK cyber security companies 2026 review.
• And for the full government-backed baseline that DMARC sits inside, our Cyber Essentials checklist.

Frequently asked questions

Why is the recommended rollout 30 days and not faster?

30 days gives you two clean weeks of report data before tightening, which is enough time to spot legitimate senders that only run weekly or fortnightly campaigns. If you tighten faster, you’re more likely to break a low-volume sender that wasn’t in the first week’s reports. Faster than 14 days is genuinely risky; faster than 7 days is reckless.

Can I skip p=quarantine and go straight to p=reject?

You can, but we don’t recommend it for SMEs. The two-step quarantine → reject rollout gives you one extra week of buffer where breakage falls into spam folders rather than getting bounced. Spam folder is recoverable; bounce is not. The extra week is worth it.

What does pct=10 actually mean technically?

The receiving server hashes the message and applies your policy to a deterministic 10% of failing messages. The other 90% fall back to the previous less-strict policy (in our rollout, that’s p=none for the first p=quarantine; pct=10 step, then p=quarantine for the p=reject; pct=10 step). This means a single legitimate sender that’s failing alignment will see roughly 10% of its messages affected, not 0% or 100% — gives you proportionate visibility.

Will moving to p=reject hurt my deliverability?

The opposite. Major receivers (Google, Microsoft, Yahoo) treat p=reject as a positive signal that your domain takes email security seriously, which slightly improves inbox placement of your legitimate mail. Concerned-about-deliverability is a common reason rollouts stall, but the data shows the concern is misplaced.

Do I need to redo the rollout if I add a new sender after p=reject?

No — once you’re at p=reject, the policy stays. When you add a new sender, you set up SPF + DKIM for it as you would normally, and the next day’s DMARC reports tell you whether it’s aligned. If it’s not, you fix it (or it just doesn’t deliver). The whole point of the rollout is to get the discipline in place once.

Can I do this myself without a managed service?

Absolutely — this guide is the literal checklist we use internally, and free tier parsers like dmarcian or EasyDMARC are sufficient for most UK SMEs. The reasons our customers choose to have us do it are time saved (about 8–12 hours of admin spread over 30 days), the in-platform fixes on third-party ESPs, and the audit trail we keep for Cyber Essentials evidence. If those don’t apply to you, run it yourself — the result is identical.

Get a quote: Cyber Essentials & CE+ · Managed Detection & Response · Managed IT Support