When should I make my DMARC policy stricter?

There are a few different things to take into account when you are considering whether it's appropriate for you to move your domain's DMARC policy to p=reject, or even just p=quarantine to see how that goes as a first step. (See the "Quarantine or Reject" article for guidance on longer term usage)

The dmarcian UI does have a Policy Planner functionality available in the menus, but it is not always entirely clear on the basis for the recommendation provided, so here is some general guidance you can use to delve into this on your own.

1. Is your DMARC record itself entirely free of errors as indicated on the Domain Overview summary?
   1. make sure you have appropriate alerting set up, e.g. for DMARC-invalid
2. Is your SPF record entirely free of errors as indicated on the Domain Overview summary?
   1. make sure you have appropriate alerting set up, e.g. for SPF-invalid
3. Do you have at least 2 weeks or preferably, 4 weeks of DMARC RUA data to review sending trends?  Are you confident that all possible sending vendors making use of your domain would have been represented in the visible time frame as explorable in the Detail Viewer? (in other words: make sure you've accounted for all of your sending sources)
4. Review the sources visible in the Detail Viewer tabs
   1. are any shown as Threat/Unknown actually legit? YOU will have to determine this, in context to your organization and environment. If you do see one or more which you believe are legitimate senders for your domain, you have some work to do to get the sending source(s) compliant
   2. are all shown as Forwarders (which you care about, either by volume or as a sender) actually passing DMARC - DKIM to your satisfaction? If not, you may need to pay attention to DKIM signing by the originating vendor(s)
   3. and most importantly, are all of the sources shown as DMARC-capable passing DMARC with at least 99% success? (or any % at which you are comfortable having the remainder of email discarded...)
   4. The sources which we have rules for and show up named such as "Sendgrid" have notes (see the 'Guide' links) you should pay attention to, indicating their capability to properly send legitimate authenticated email for your domain; if percentages are not high for those, you need to check into why, and work on making that traffic pass both SPF and DKIM if possible. 
      • to note, some items which show up as sources in your DMARC Capable list may actually be forwarders. They'll usually be very low volume in comparison to your main sources, so just be aware of this aspect; you'll typically just ignore those entries or treat them with the same regard as if they were just under the Forwarders tab
   5. if you have sources which appear within the Non-compliant tab, then you may be out of luck: we think you will not be able to get this traffic to pass DMARC.  You will need to contact that vendor and see if they have a solution.  If by some chance they are capable of sending DMARC-compliant messages for customer domains, let us know and we can update the source listing. If for some reason you do not care about this unauthenticatable traffic, just ignore this item.