DMARC p=none: What It Means and Why It's Not Protecting You
Your domain has a DMARC record. That sounds good. But if it says p=none, your domain is still fully exposed to email spoofing and your deliverability is still at risk.
6 min read · Email Authentication
The Short Version
p=none means DMARC is watching but not acting. It reports authentication failures to you but tells receiving mail servers to deliver the message anyway — even if it fails SPF and DKIM checks. It is a monitoring mode, not a protection mode.
How DMARC Actually Works
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS record that tells receiving mail servers two things: how to evaluate whether an email genuinely came from your domain, and what to do if it doesn't pass that evaluation.
The "what to do" part is controlled by the p= tag. There are three options:
p=noneMonitor Only
Log failures. Deliver the email regardless. No active protection.
p=quarantineSoft Enforcement
Send failing emails to spam/junk instead of the inbox.
p=rejectFull Enforcement
Reject failing emails outright. They never reach the recipient.
What p=none Leaves Open
With p=none, anyone can send email from your domain. They can impersonate your CEO, your finance team, or your support inbox. Those emails will be delivered into your clients' and partners' inboxes with no indication that anything is wrong — because your DMARC record told servers to do nothing about it.
This is not a theoretical risk. Business email compromise (BEC) attacks commonly target domains with p=none precisely because the spoofed emails are more likely to be delivered and trusted.
Why People Stay on p=none
Moving from p=none to p=quarantine or p=reject requires confidence that every legitimate email sender using your domain is properly authenticated with SPF and DKIM alignment. If you enforce DMARC before completing that audit, legitimate emails from marketing platforms, CRMs, or invoicing tools can fail authentication and be blocked.
The correct path is a phased progression:
- Set
p=nonewith a reporting address (rua=) to collect failure data. - Review the DMARC reports to identify all senders and ensure they pass SPF/DKIM.
- Move to
p=quarantineonce all legitimate senders are covered. - After 2-4 weeks of clean reports at quarantine, move to
p=reject.
The problem is that most businesses complete step 1 and never progress. The setup gets lost in a backlog and p=none becomes the permanent state.
The Deliverability Impact
Beyond the security exposure, p=none signals to large mail providers (Google, Microsoft, Yahoo) that your domain has not committed to email authentication enforcement. Major providers have increasingly started applying tighter filtering to domains that lack an enforced DMARC policy, especially since Google and Yahoo's 2024 bulk sender policy updates required p=quarantine or higher for bulk senders.
Check your DMARC policy right now
Free scan — see your exact DMARC configuration, SPF status, and risk level in seconds.
Or book a free 15-min call to have us handle the full progression.