Blog
Your DMARC Is Set to p=none. Here's Why That's Still a Problem.
You set up a DMARC record. It says p=none. Your DNS checker shows a green tick. And you're still getting spoofed.
p=none is monitoring mode. It watches failures and reports them. It does not block anything.
So your DMARC record exists — and spoofed emails from your domain still land in inboxes. That's the trap.
What p=none Actually Does
It tells receivers: "If this email fails DMARC, please send me a report about it."
That's it. No quarantine. No rejection. Just a daily XML file to an email address most people never check.
Meanwhile, phishing emails pretending to be from your domain keep getting delivered.
Why Everyone Starts Here (And Gets Stuck)
p=none is the right starting point. You need to see what's failing before you start blocking.
The problem is staying there. Most teams set up p=none, see the green tick, and move on. The reports never get read. The policy never gets tightened.
Months pass. Sometimes years.
What You Should Be Doing Instead
Step 1: Add rua= to your DMARC record so you actually get reports.
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Step 2: Wait 2 weeks. Read the reports. Use DomainPreflight's DMARC Report Analyzer — paste the XML, see which senders are failing alignment.
Step 3: Fix the alignment failures. That usually means adding CNAME records for your third-party senders.
Step 4: Move to p=quarantine. Then p=reject.
How Long Should You Stay at p=none?
2-4 weeks if you're actively reading reports. Long enough to catch all your legitimate senders.
Not 6 months. Not "indefinitely for safety." That's just leaving your domain unprotected.
The Fast Check
Run DNS Preflight on your domain. If DMARC shows p=none and you've had the record for more than a month — you need to act.
Check your DMARC policy
Open DNS Preflight →FAQ
Is DMARC p=none doing anything useful?
Yes — it collects reports showing who is sending as your domain. But it blocks nothing. Think of it as surveillance without enforcement.
How do I know when it's safe to move to p=reject?
When your DMARC reports show all legitimate senders passing alignment for 2+ weeks with no unexplained failures.
Will moving to p=reject break my email?
Only if some legitimate senders aren't aligned yet. Fix alignment failures first — then p=reject is safe.
What if I never receive DMARC reports?
Check your rua= address. If it's missing or wrong, you're getting no data. Add rua=mailto:dmarc@yourdomain.com and wait 24 hours.
Can attackers still spoof my domain with p=none?
Yes. p=none provides zero spoofing protection. Spoofed emails still reach inboxes. Only p=reject stops them.