DNS & Setup

My experience with DMARC p=reject after 6 months. Should you do it

dmarc_demon · 2026-04-21T00:00:00Z

I moved my cold email domains from p=none to p=quarantine to p=reject over 6 months. The progression made a measurable difference in inbox placement. Shari

dmarc_demon · 2026-04-21 · 720 views

I ran DMARC progression on 8 cold email domains over 6 months: p=none for month 1, p=quarantine for months 2-3, p=reject for months 4-6. Here is what happened.

Month 1 (p=none). Pure monitoring. DMARC aggregate reports (rua=) delivered to my reporting inbox. I used Dmarcian to parse reports. Discovered that 12 percent of emails "from" my domains were actually coming from unauthorized sources (likely spoofing attempts and forgotten tools). All legitimate sending flows (Google Workspace through Instantly) were authenticated correctly.

Months 2-3 (p=quarantine). Set DMARC to quarantine. Emails failing SPF and DKIM alignment now went to spam folders at receiving servers. Inbox placement for legitimate cold emails went UP by roughly 8 percent. Theory: receiving servers trust domains with stricter DMARC more, so legitimate emails passing authentication get better inbox placement.

Months 4-6 (p=reject). Moved to p=reject. Any email failing authentication is blocked entirely. Inbox placement for legitimate emails went up another 3-5 percent vs the p=quarantine baseline. Total improvement from p=none to p=reject: 10-13 percent inbox placement lift.

Gotchas I hit. 1) One domain had an old ESP still configured that I had forgotten about. When I moved to p=reject, those emails started bouncing. Had to decommission the ESP properly. 2) Google Workspace calendar invites occasionally failed SPF alignment from a quirk in Google forwarding. Fixed by adjusting SPF to include a specific Google include. 3) Internal forwarding rules at a client broke briefly — forwarded emails arriving at the forwarding destination failed SPF from the original sender. Needed ARC (Authenticated Received Chain) support to fix.

When NOT to move to p=reject. If you have email flowing from tools you cannot fully audit (marketing automation, transactional email, help desk, CRM emails, invoice platforms) — wait. p=reject blocks any unauthenticated mail, and if you have unauthorized flows you do not know about, you will lose legitimate email.

The monitoring setup. Dmarcian or EasyDMARC. $10-30/month. Parses aggregate reports into readable dashboards. You need this to make progression decisions safely.

Conclusion. p=reject is worth the 6-month progression for cold email domains. 10 percent+ inbox placement lift. Just do not skip the monitoring phase or you will lose legitimate email when you flip the switch.