Ready to move DMARC from quarantine to reject
The step people get nervous about. Done right it is a one-minute DNS change, done wrong you block your own invoices.
Try this first
- 1Read the last two weeks of DMARC reports. Are all legitimate sources aligned on both SPF and DKIM? If not, fix those first.
- 2List the edge cases: marketing tool, invoicing platform, helpdesk, HR software. Every SaaS sending on your behalf needs to authenticate cleanly.
- 3Schedule the cutover during a quiet moment, not late Friday. Someone needs to watch DMARC reports and helpdesk for the first 48 hours.
- 4Change p=quarantine to p=reject and keep rua/ruf in place. Aggregate reports keep coming, that is your safety net.
When to bring us in
If you have many forwarders, mailing lists or third parties sending on your behalf, reject carries more risk. We run a dry-run via a test domain before you go live.
See also
- Our emails land in spam for some recipientsAlmost always an SPF, DKIM, or DMARC setting that is wrong or missing, or a sender name that mimics a well-known brand.
- Someone reports receiving phishing emails "from us"Read: spoofing. Someone is abusing your sender name, not necessarily your actual mailbox.
- An email bounces (NDR): delivery failedThe NDR text usually states the exact reason. Reading it is step one.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.