Cold Email8 min read

Your Prospect Enforces DMARC p=reject. Here's What That Changes for Your Outreach

Nearly half of all DMARC-publishing domains in the top million — 47.16% — now enforce their policy. If your target does, some outreach tactics stop working entirely and others become mandatory. A guide to reading the policy before you send.

DMARC is usually discussed as something senders configure. But it cuts both ways: the domain you are emailing publishes a policy too, and that policy tells you how seriously its mail infrastructure takes authentication. As of the 2026-07-05 snapshot of our daily email infrastructure report, 459,124 domains in the Tranco top-1M publish DMARC, and 47.16% of them enforce — meaning p=quarantine or p=reject at full coverage. That is not a fringe posture anymore. For an SDR, a prospect's DMARC record is a free pre-flight signal: it predicts what their filters will do to your message and which shortcuts will get you burned.

025k50k75k100k202420252026114kp=quarantine112kp=reject
Domains publishing DMARC p=quarantine vs p=reject in the Tranco top-1M, 2023–2026. Source: our daily OpenINTEL-based scan.

The enforcement landscape in one paragraph

Of the 459,124 DMARC records we track, 234,559 — 51% — still sit at p=none, monitoring without acting. The enforcing half split in a notable way in June 2026: quarantine (114,824 domains) overtook reject (114,390) for the first time in the dataset. Companies increasingly stop at quarantine rather than going all the way to reject. For you as a sender the difference is practical: a reject-domain drops failing mail before anyone sees it, while a quarantine-domain shunts it to spam where a curious prospect might still find it. Neither is where you want to live.

What actually breaks when the prospect enforces

1. Lookalike and cousin domains stop being clever

Some outbound teams register lookalike domains — companyname-hq.com, getcompanyname.io — to protect their main domain's reputation. That is fine. What enforcement kills is the older, dirtier trick: putting the prospect's own brand or a spoofed colleague address anywhere in the From field. An enforcing receiver validates alignment between the From domain and the authenticated domain; anything that smells like impersonation of an enforced domain is dropped or quarantined mechanically, no human judgment involved.

2. Misaligned sending tools fail silently

The most common self-inflicted wound: your sequencer, CRM or mail merge tool sends "from" your domain but authenticates as itself. SPF passes for the tool's domain, DKIM signs with the tool's key, and DMARC alignment for your From domain fails. Receivers at p=none shops often let this through. Enforcing receivers are the ones that also tend to scrutinize inbound authentication hardest — the same security posture that made them deploy reject makes their inbound filtering stricter. Your message arrives looking exactly like the spoofing their policy exists to stop.

3. Reply-chain and forwarding tricks degrade

Tactics that involve forwarding, "re:" fake threads, or routing through intermediate mailboxes all add hops where authentication can break. Against a security-mature receiver, every broken hop is another reason to junk you.

How to check the prospect's policy in five seconds

One DNS query per domain:

  1. Run dig TXT _dmarc.prospect.com +short.
  2. Read the p= tag: none means monitoring only, quarantine means failing mail goes to spam, reject means it is refused outright.
  3. Check pct= if present — a value under 100 means partial rollout; treat it as enforcement anyway.
  4. No record at all? The domain is less security-mature — but its mailbox provider's defaults still apply.

Batch this across your list and you get a free security-maturity segment: enforcing domains correlate with stricter gateways, security teams and procurement processes — useful signal well beyond deliverability.

Enforcement is a two-sided check

The same lookup applies to you. If your sending domain sits at p=none — like 51% of DMARC publishers — security-conscious receivers notice. A cold email from a non-enforcing domain, hitting a reject-enforcing company, starts the conversation with a credibility gap.

The sender-side checklist for enforcing targets

  • Align everything. SPF and DKIM must both pass for the exact From domain your sequences use, including any subdomain. One misaligned tool in the stack poisons the segment.
  • Enforce your own domain. Move from p=none through quarantine to reject on your sending infrastructure. It protects your brand and reads as maturity to the receivers most likely to check.
  • Drop impersonation-adjacent tactics for the enforcing segment entirely: no spoofed threads, no brand-borrowing From names.
  • Watch bounces per segment. Reject-domains give you a clean, immediate signal when alignment breaks — use it as an early-warning system for your whole setup.

Before pointing a sequence at an enforcing segment, verify the whole chain end to end: send to a seed inbox and confirm SPF, DKIM and DMARC all pass as received, not as configured. An inbox placement test shows you the authentication verdicts a real receiver computes on your actual message — the exact thing a p=reject prospect's filter will evaluate before any human reads a word.

FAQ

Does a prospect's p=reject policy block my cold email?

Not by itself. DMARC governs mail claiming to be from the prospect's own domain. Your cold email from your own domain is judged by their spam filters, not their DMARC policy — but enforcing domains typically also run stricter inbound filtering, so authentication failures cost more.

Is quarantine meaningfully different from reject for a sender?

Yes. Reject refuses failing mail at SMTP time, giving you a bounce. Quarantine delivers it to spam, giving you silence. As of June 2026, quarantine domains (114,824) outnumber reject domains (114,390) in the top-1M for the first time.

Should my own outreach domain use p=reject?

Work up to it. Start at p=none with rua reporting, confirm every legitimate tool aligns, then move to quarantine and finally reject. Jumping straight to reject with a misaligned sequencer in the stack silently kills your own outbound.

How current are these DMARC numbers?

They come from the 2026-07-05 snapshot of our daily OpenINTEL-based scan of the Tranco top-1M, covering 459,124 DMARC records. The daily report and its JSON API update every day, so the split shifts slightly over time.
Related reading
Found this useful? Share it
AB
About the author
Artem Berezin
B2B Deliverability Specialist

B2B deliverability specialist with 5+ years of hands-on outreach experience. Built campaigns reaching 90,000+ inboxes across 20+ countries — and fixed the deliverability problems that came with that scale.

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required