p=none meets the Gmail/Yahoo baseline but blocks nothing. Real protection — and BIMI —
needs p=quarantine then p=reject. Rushing there can block your own mail, so ramp safely.
Step 1 — Monitor at p=none (1–2 weeks)
Publish a record with reports enabled and read them:
v=DMARC1; p=none; rua=mailto:you@yourdomain.com
Use the reports to list every legitimate sender (your ESP, CRM, helpdesk, invoicing tool) and confirm each passes SPF or DKIM with alignment. Fix any that don’t — usually a Return-Path / DKIM alignment issue.
Step 2 — Quarantine a slice, then all
Once every legit sender aligns, move to quarantine, optionally ramping with pct:
v=DMARC1; p=quarantine; pct=25; rua=mailto:you@yourdomain.com
Raise pct to 50, then 100 over a week or two, watching reports for collateral damage.
Step 3 — Reject
When 100% quarantine is clean:
v=DMARC1; p=reject; rua=mailto:you@yourdomain.com
Spoofed mail is now blocked outright, and you’re eligible for BIMI logos.
Tips
- Build each record with the DMARC generator and decode it with the explainer.
- Don’t jump straight to
reject— thenone → quarantine → rejectramp exists so you catch a forgotten sender before it costs you real email.