DMARC Explained: The None to Quarantine to Reject Progression

If you've started researching email security for your New Zealand business, you've likely come across DMARC — Domain-based Message Authentication, Reporting and Conformance. It's the gold standard for stopping criminals from spoofing your domain and sending phishing emails to your customers, staff, and suppliers.

But DMARC isn't something you turn on overnight. It's a journey through three policy stages: none, quarantine, and reject. Skip ahead too quickly and you'll block legitimate emails. Stay on the first stage forever and you've achieved nothing.

This guide walks you through the progression safely.

What Is DMARC (In Plain English)?

DMARC is a DNS record that tells receiving mail servers (like Gmail, Outlook, and Xtra) two things:

  1. What to do with emails claiming to be from your domain that fail authentication (SPF or DKIM).
  2. Where to send reports about those emails so you can see who's sending on your behalf.

It sits on top of SPF and DKIM. Without those two in place, DMARC has nothing to enforce. A typical DMARC record looks like this:

_dmarc.yourbusiness.co.nz. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourbusiness.co.nz; pct=100; adkim=s; aspf=s"

The key part is p= — the policy. That's what we're progressing through.

Why a Gradual Progression Matters

Most businesses have more email senders than they realise: Xero invoicing, Mailchimp campaigns, HubSpot sequences, Microsoft 365, a NZ-hosted CRM, maybe an old website contact form still sending via a shared host. Every one of these needs to be authenticated before you enforce DMARC.

Jump straight to p=reject and legitimate invoices stop reaching clients. That's why we stage it.

Stage 1: p=none (Monitoring Mode)

Purpose: Collect data. Nothing gets blocked.

When you publish a DMARC record with p=none, receiving servers don't change their behaviour — they just send you reports about every email claiming to be from your domain.

Your starting record

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourbusiness.co.nz; ruf=mailto:dmarc-reports@yourbusiness.co.nz; fo=1

What to do during this stage

  1. Publish the record in your DNS.
  2. Collect reports for 2–4 weeks. These arrive as XML files daily.
  3. Use a DMARC reporting tool to parse them (raw XML is brutal to read).
  4. Identify every legitimate sender. Look for IPs from Microsoft, Google Workspace, your marketing platforms, accounting tools, and NZ providers like SMX or MailGuard.
  5. Fix SPF and DKIM for each legitimate sender until they pass DMARC alignment.

You're ready to move on when 98%+ of your legitimate email volume passes DMARC and you recognise every IP in your reports.

Stage 2: p=quarantine (The Middle Ground)

Purpose: Suspicious emails get sent to spam/junk folders rather than the inbox.

This is where DMARC starts doing actual work. Failing mail is quarantined — usually landing in Junk — but not outright rejected. It's a safety net: if you missed a legitimate sender, the email still arrives (just in the wrong folder) and you can fix it.

Ease into it with pct

Don't jump straight to 100% quarantine. Use the pct tag to apply the policy to a percentage of mail:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourbusiness.co.nz; fo=1

Suggested rollout

  1. Week 1–2: p=quarantine; pct=10 — watch reports closely.
  2. Week 3–4: p=quarantine; pct=50 — expand if clean.
  3. Week 5–6: p=quarantine; pct=100 — full quarantine.

If complaints come in ("I didn't get your invoice!"), check your DMARC reports, identify the failing sender, fix their SPF/DKIM, and continue.

Stage 3: p=reject (Full Enforcement)

Purpose: Emails failing DMARC are rejected outright. They never reach the recipient at all.

This is the goal. At p=reject, criminals trying to spoof @yourbusiness.co.nz are stopped cold by Gmail, Outlook, and every major provider. Your domain becomes effectively unspoofable via direct-domain attacks.

Your final record

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourbusiness.co.nz; fo=1; adkim=s; aspf=s

Again, use pct for a soft landing

v=DMARC1; p=reject; pct=25; sp=reject; rua=mailto:dmarc-reports@yourbusiness.co.nz

Progress from pct=2550100 over a few weeks.

Don't forget subdomains

The sp= tag sets the subdomain policy. If you don't send email from subdomains, set sp=reject immediately — attackers love spoofing accounts.yourbusiness.co.nz or invoice.yourbusiness.co.nz.

A Realistic NZ Timeline

For a typical NZ SMB with 5–15 sending sources, plan on:

  • Weeks 1–4: p=none — monitoring and fixing SPF/DKIM.
  • Weeks 5–10: p=quarantine — gradual rollout via pct.
  • Weeks 11–14: p=reject — staged enforcement.
  • Total: roughly 3–4 months.

Larger organisations with 30+ senders (councils, universities, multi-brand retailers) can easily take 6–9 months. That's normal.

Common Pitfalls to Avoid

  • Forgetting DKIM alignment. SPF alone is fragile — DKIM must also align for forwarded mail to pass DMARC.
  • Ignoring third-party senders. Xero, Shopify, Mailchimp, and HubSpot all need proper DKIM configured against your domain.
  • Leaving p=none forever. Monitoring mode provides zero protection against spoofing. It's a stepping stone, not a destination.
  • Not monitoring reports after reject. New tools get added to your business all the time. Keep watching.

Check Your DMARC Status for Free

Not sure where your domain sits right now? xteam's free MailCheck tool instantly analyses your SPF, DKIM, and DMARC records, flags misconfigurations, and tells you exactly what stage of the progression you're at — and what to do next.

It's built specifically for NZ businesses and takes less than 30 seconds. Run your domain through MailCheck today and start your journey from none to reject with confidence.