DMARCGuardian Practical help for DMARC, SPF, DKIM, and BIMI.

Blog · Dmarc

Why DMARC p=none Does not Protect Your Domain (And What Actually Does)

By Dmarcguardian Editorial Team ·

Your domain has a DMARC record. You might feel protected.

You are not.

A recent signal from practitioner communities suggests roughly 37% of domains that publish a DMARC record are still running at p=none, the policy level that tells receiving mail servers to do absolutely nothing when mail arrives that fails DMARC alignment. No block. No quarantine. No action at all.

This is the protection paradox: DMARC adoption is rising, but most "protected" domains are still fully open to email spoofing.

What p=none actually does (and does not do)

When you publish a DMARC record with p=none, you are asking receiving servers to watch your domain and tell you things via aggregate DMARC reports, but you are not asking them to do anything about failures.

v=DMARC1; p=none; rua=mailto:reports@example.com

That record says: "Send me DMARC reports, but let everything through." Nothing more.

p=none is monitoring mode. It is useful for measuring your legitimate mail volume and checking who is sending on your behalf before you lock things down. But it provides exactly zero protection against someone sending mail from your domain to a target.

Why the 37% statistic matters for your domain

You might think: if most domains are at p=none, is spoofing my domain even a real risk?

Yes. Precisely because p=none is so common, attackers know most domains are soft targets.

The 37% figure also means the aggregate protection picture is misleading. When a company sees "DMARC adoption is up across the industry," the implication is that email spoofing is becoming harder. That implication is false for the majority of those adopted domains.

The attack scenario: how p=none domains get abused

An attacker wants to send a phishing email from payroll@yourcompany.com. They check your DMARC record and find p=none. They send mail through a mass email service with the From header set to your domain.

Because your policy is p=none, the receiving mail server checks your DMARC record, sees the policy says "do nothing," and delivers the mail. The attacker never needs to compromise your mail server.

This is the standard operating model for business email compromise (BEC) attacks targeting domains with weak or absent DMARC enforcement.

How to safely move to quarantine, then reject

The fear of breaking legitimate mail is the main reason domains stay at p=none. That fear is reasonable but manageable with a structured migration.

Step 1: Read your DMARC reports first. Before changing anything, review 2-4 weeks of aggregate DMARC reports. Look for all valid sending sources and their alignment status, any third-party senders that send from your domain, and the volume of mail that currently fails DKIM or SPF alignment.

Step 2: Move to p=quarantine. p=quarantine tells receivers to move failing mail to spam, not reject it outright. Watch your DMARC reports for 1-2 weeks after this change. If legitimate mail starts landing in spam folders, find the source and fix the alignment before proceeding.

Step 3: Move to p=reject when reports are clean. p=reject is the target state. You are ready when aggregate reports show near-zero alignment failures for legitimate sources and all third-party senders are properly aligned.

How DMARC reports reveal the gap before you change policy

DMARC reports are the only real window into who is sending mail from your domain, both authorized and unauthorized. A sudden spike in failed alignment from a source you do not recognize is often the first signal of an attack in progress.

How DMARCFlow helps you move to strict safely

The transition from p=none to p=quarantine to p=reject requires ongoing monitoring of aggregate DMARC reports to catch legitimate senders that unexpectedly fail alignment.

DMARCFlow monitors your DMARC reports daily and alerts you to new alignment failures, giving you the visibility needed to safely move through the enforcement levels without breaking your mail.

Conclusion: adoption does not equal protection, enforcement does

Having a DMARC record is better than nothing. But if your policy is p=none, your domain is essentially open for impersonation.

The migration path is straightforward, monitor reports, move to quarantine, watch for breakage, then move to reject. The risk is not the policy change. The risk is changing it without looking at the reports first.

Your DMARC adoption number means nothing. Your DMARC enforcement level is what matters.