Publish an initial DMARC TXT record at _dmarc.yourdomain.com with p=none and rua=mailto:YOUR_INBOX to start collecting aggregate reports without affecting mail flow.
Monitor aggregate reports for at least 90 days to identify all legitimate sending sources, including marketing tools, transactional ESPs, support platforms, and forwarding services.
Once legitimate traffic shows 98% or higher DMARC pass rate, move to p=quarantine with pct=10 so only 10% of failing messages are quarantined; watch delivery metrics closely.
Gradually ramp the pct tag—10 for two weeks, then 25, 50, 75 each for two to three weeks—before setting pct=100 at quarantine to confirm no unexpected failures.
When quarantine at pct=100 is stable, switch to p=reject to have receiving servers drop unauthenticated messages outright.
Leave the rua= reporting address in place permanently to catch new sending sources and configuration drift.
Known gotchas
Rushing from p=none to p=reject in a few weeks almost always causes legitimate mail loss; the minimum safe timeline is roughly six to nine months for most organisations.
Third-party senders (ESPs, CRMs, ticketing tools) must be SPF/DKIM-aligned before you enforce; check every ip= source in your aggregate reports before tightening policy.
Subdomains inherit the apex DMARC policy unless you publish a separate _dmarc.subdomain.com record with sp=none or a tailored policy.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp