The enforcement journey.

DMARC only stops spoofing once you reach p=reject. But you don't leap there. You climb, one safe step at a time, so you never block a legitimate email on the way up. Here's the ladder, and how dmarcula tells you when it's safe to take the next rung.

A three-step staircase climbing from p=none (monitor) up through p=quarantine (filter) to p=reject (block): the safe progression to full DMARC enforcement. — Climb safely: none → quarantine → reject.

The three rungs

p=none: Monitor. Reports flow in; nothing is blocked. Every domain starts here. You're building a complete picture of who sends email as you.
p=quarantine: Filter. Mail that fails DMARC is sent to spam/junk instead of the inbox. The cautious middle rung, a safety net that catches spoofing without hard-bouncing anything.
p=reject: Block. Failing mail is refused outright. This is the destination: real protection. Spoofed mail in your name simply doesn't get delivered.

How to climb safely

The whole game: never advance until your legitimate mail is fully authenticated and aligned. The order that works:

Stay at none until the picture is clean. Watch until your authentication rate is high and steady, and every legitimate sender (your mail platform, marketing tools, ticketing system) is identified and passing SPF or DKIM with alignment.
Fix the gaps first. Hunt down sources that should pass but don't: a new ESP you forgot to set up, a tool sending without DKIM.
Ramp with pct. You don't have to apply a new policy to all mail at once. pct=25 applies quarantine or reject to a quarter of failing mail, as a controlled test. Step it up: 25 → 50 → 100.
Give each rung a week or two. Mail patterns vary by day and week. Let a rung settle and watch for surprises before climbing.
Then reject. Once quarantine has run clean at 100%, p=reject is a small, confident step.

dmarcula does the watching. You don't have to track all this in your head. The journey card on your dashboard watches your authentication rate and your senders, tells you which rung you're on, and nudges you forward the moment the data says the next step is safe, and holds you back when it isn't.

Watch out for

Don't skip to reject. The most common mistake, and it bounces real mail. Earn each rung.
Don't forget subdomains. A separate sp= policy governs subdomains, so lock those down too, or they become the spoofer's open door.
Forwarding breaks SPF. DKIM saves you. Forwarded mail and mailing lists often fail SPF because the path changed. A valid, aligned DKIM signature survives forwarding, which is why getting DKIM right on every sender matters before you enforce.
Mind your third parties. Marketing platforms, invoicing tools, help desks. Each needs SPF/DKIM set up and aligned, or they'll fail the moment you enforce.

What's next

Investigating sources: find and fix the senders holding you back.
Reading your dashboard: where the journey card lives.
Check your current rung on your dashboard.