At Deliverability Summit 2026 in Barcelona this April, David Finger of Seznam stated it plainly: “p=none provides no real protection.” That single sentence reframed how the room thought about DMARC. For years, p=none was treated as a safe monitoring stance. In 2026, it is a reputation liability. Mailbox providers are scoring domains on enforcement posture, and the gap between p=none and p=reject is now visible in inbox placement data.
The shift has numbers behind it. Finger pointed to engagement decay as the dominant placement signal: 60% of newsletters are deleted within 24 hours, 30% within one second, and only 12% are read for more than 5 seconds. Authentication no longer earns you the inbox. It earns you the right to compete for it. If your DMARC record still says p=none in Q2 2026, you are competing with one hand tied.
Why p=reject Became the Baseline, Not the Goal
The historical advice was cautious: deploy p=none, monitor reports for 30 to 90 days, move to p=quarantine, then eventually to p=reject. That timeline assumed providers were neutral about the policy itself. They no longer are.
Finger confirmed that Seznam, like several other European and US providers, factors enforcement policy directly into reputation scoring. A domain at p=reject signals operational maturity. A domain at p=none signals that the sender either does not understand authentication or is not willing to defend it. The reputational delta is small per message but compounds across millions of sends.
The practitioners pushing back at the Summit were not arguing that p=reject is wrong. They were arguing that the path to it is harder than vendors suggest, particularly for organizations with shadow IT, third-party senders, and legacy transactional flows. None of that is an excuse to stay at p=none. It is a reason to start the audit this quarter.
Action this week: pull your last 30 days of DMARC aggregate reports and list every IP and source sending under your domain. Anything you cannot identify is the reason you are not at p=reject yet.
Microsoft Now Wants Both SPF and DKIM to Pass
The second shift came from the Microsoft session. Standard DMARC alignment requires SPF or DKIM to pass and align. Microsoft’s deliverability team made it clear that for high-volume senders, they now expect both SPF and DKIM to pass independently, not just one. Single-mechanism alignment is increasingly treated as a yellow flag at Outlook.com and Hotmail.
This matters for two reasons. First, many ESPs default to DKIM-only alignment when senders skip SPF configuration on custom return paths. That setup passes DMARC but fails Microsoft’s stricter expectation. Second, Microsoft acknowledged at the Summit that they have an intermittent DKIM verification bug that was still unfixed as of April 2026. Senders relying on DKIM alone have no fallback when that bug fires. SPF alignment is the safety net.
If you send to consumer Microsoft domains at any meaningful volume, dual alignment is no longer optional. Audit your Return-Path domain, confirm it aligns with the From domain, and verify SPF includes your actual sending infrastructure rather than inherited records from a previous ESP.
Action this week: send a test message to an Outlook.com address and inspect the headers. Both spf=pass and dkim=pass should appear, and both should align with your From domain. If only one aligns, you have work to do.
BIMI Is the Next Reputation Accelerator
BIMI was the topic that generated the most hallway conversation in Barcelona. Finger described it as “slowly getting up” but reported “significant impact” on open rates when logos display in the inbox. The mechanism is simple: a verified logo signals legitimacy to the recipient before they read the subject line, and that pre-attention boost shows up in engagement metrics, which then feed back into reputation.
The prerequisite is DMARC p=reject. Without it, BIMI does not render. This is the practical reason p=reject moved from “best practice” to “baseline” in 2026. It is the gate to the next layer.
Two paths exist for BIMI deployment:
- VMC (Verified Mark Certificate): full trust, logo displays in Gmail, Apple Mail, Yahoo, and a growing list of providers. Requires a registered trademark and a certificate from DigiCert or Entrust. Annual cost, real diligence.
- a=self assertion: interim path. Logo displays in some providers without VMC. Lower trust signal, but a viable bridge while you secure the trademark or certificate.
The reputation effect is not theoretical. Senders who deployed BIMI in 2025 reported open rate lifts in the mid single digits, and Finger confirmed Seznam treats verified BIMI as a positive reputation input. That is rare. Most reputation signals are negative or neutral.
Action this week: publish a BIMI record with a=self pointing to a properly formatted SVG Tiny PS logo. You can deploy this in an afternoon if your DMARC is already at p=reject. If it is not, you now have a second reason to fix that.
A Practical Sequence for the Next 90 Days
The Summit consensus on rollout order was tighter than expected. Most veterans agreed on this sequence:
- Week 1-2: Audit DMARC aggregate reports. Identify every legitimate sender. Subscribe to a DMARC reporting tool if you do not already have one.
- Week 3-4: Fix SPF and DKIM at every legitimate sender. Confirm both align with your From domain. Test against Outlook.com specifically.
- Week 5-8: Move from p=none to p=quarantine with pct=25, then ramp to pct=100 over two weeks. Monitor reports daily.
- Week 9-10: Move to p=reject. Keep aggregate reporting on indefinitely.
- Week 11-12: Deploy BIMI with a=self. Begin VMC procurement in parallel for the higher-trust path.
This is not aggressive by 2026 standards. It is the minimum viable posture for a sender who wants to stay competitive at Microsoft, Google, Seznam, and the providers that follow their lead. The senders who finished this work in 2025 are the ones now experimenting with AI-readable email structure and absolute-complaint monitoring. The senders still at p=none are explaining to their CMOs why open rates dropped last quarter.
Pull your DMARC report today. The rest follows from what you find.