How do I choose the right pct value?

At p=none, pct is irrelevant. When switching to p=quarantine, set pct=100 right away — a staged rollout (10/25/50/75) leaves the unprotected share open to spoofing and is visible in the aggregate report anyway. Instead of tweaking pct, monitor longer at p=none until all your own senders align cleanly.

What about newsletter tools?

Newsletter ESPs (Mailchimp, Sendgrid, Brevo) must have custom-domain authentication enabled. Otherwise neither SPF nor DKIM aligns with your From domain — and DMARC fails on ESP sends.

How do I identify legitimate senders?

From the DMARC aggregate reports: resolve source_ip via reverse lookup, identify the provider, compare volumes. Mailantis recognises the 50 most common providers automatically.

When is it safe to move to p=reject?

When for 4+ weeks all aggregate reports show: 100% of your own senders pass DMARC, and visible spoofing attempts are already landing in spam thanks to p=quarantine.

What happens with auto-forwarding?

Pure SPF forwarding fails (the sender IP changes). DKIM almost always survives. That is why DKIM is critical for forwarding-resilient DMARC configurations.

DMARC policy guide — Mailantis Learn

The three stages at a glance

Recommended timeline — 1–3 months total

Stage 1 — `p=none` (monitoring)

Goal: understand who is sending under your name. No impact on delivery yet.

"v=DMARC1; p=none; rua=mailto:[email protected]; pct=100"

What you do during this phase:

Collect the aggregate reports (rua) daily.
Identify every service that sends for your domain: mail server, CRM, newsletter tool, helpdesk, billing, etc.
Configure SPF and/or DKIM for each of them.

Reports arrive as XML and are hard to read in raw form. Mailantis parses, aggregates and visualises them — you see at a glance which IP is still not making it.

Stage 2 — `p=quarantine` (`pct=100`)

Once the monitoring reports look clean: move the policy directly to quarantine with pct=100. A staged rollout via pct=10/25/50/75 sounds cautious but weakens protection: attackers can randomly hit the unprotected percentage — and the pct value is visible to recipients through aggregate reports anyway.

"v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]"

Hold this stage for at least 2–4 weeks and check the reports: no more legitimate senders ending up in spam, visible spoofing is caught — then it is time for p=reject. Prerequisite for the direct jump: stage 1 was carried out properly and all your own senders pass DMARC.

Stage 3 — `p=reject`

The home straight. From now on, unauthenticated mail is rejected outright by the recipient server — not even visible in spam any more.

"v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; adkim=s; aspf=s"

Common pitfalls

Forwarding: some users forward business mail to their private address — SPF breaks, DKIM holds. That is why DKIM is mandatory.
Shadow IT: reports often surface tools that departments introduced on their own. Register them first, then tighten the policy.
Newsletter providers: some sign with their own domain — alignment fails. Check for aligned DKIM.
Jumping straight to reject: leads to real mail being dropped. Monitoring beforehand is not optional.

Timeline — guide value

Week	Action
1	Set up SPF + DKIM for all main systems.
2	Publish DMARC `p=none` with `rua`.
3–6	Analyse reports, fix deviations.
7–10	`p=quarantine; pct=100` — monitor aggregate reports, check the spam folder for legitimate senders.
11–12	`p=reject`.

DMARC policy guide: safely to p=reject.

The three stages at a glance

Stage 1 — `p=none` (monitoring)

Stage 2 — `p=quarantine` (`pct=100`)

Stage 3 — `p=reject`

Common pitfalls

Timeline — guide value

Frequently asked questions

DMARC policy guide: safely to p=reject.

The three stages at a glance

Stage 1 — p=none (monitoring)

Stage 2 — p=quarantine (pct=100)

Stage 3 — p=reject

Common pitfalls

Timeline — guide value

Frequently asked questions

Stage 1 — `p=none` (monitoring)

Stage 2 — `p=quarantine` (`pct=100`)

Stage 3 — `p=reject`