DMARC p=none Explained: What It Means and When to Move Beyond It
Understand what DMARC p=none policy means, why it's a starting point but not a destination, and how to transition to p=quarantine or p=reject.
Setting DMARC to p=none is often the first step in email authentication, but many domains stay there indefinitely. This guide explains what p=none means, its limitations, and how to progress to stronger policies.
What Does p=none Mean?
The p= tag in DMARC defines what receivers should do when authentication fails:
| Policy | Meaning | Action on Failure |
|---|---|---|
| p=none | Monitor only | Deliver normally, just report |
| p=quarantine | Suspicious treatment | Send to spam/junk |
| p=reject | Block completely | Reject the message |
With p=none, you're saying: "I want to know about authentication failures, but don't take action on them."
Why Start with p=none?
Starting with p=none is recommended because:
1. Visibility Without Risk
You can see what's happening without breaking legitimate email:
- Identify all sources sending as your domain
- Find authentication configuration issues
- Discover unauthorized senders
- Learn your email ecosystem
2. Gradual Implementation
Email authentication is complex:
- Multiple sending services
- Legacy systems
- Third-party vendors
- Marketing platforms
p=none lets you discover and configure each source before enforcement.
3. Prevent Self-Inflicted Damage
Jumping straight to p=reject with incomplete configuration:
- Blocks legitimate email
- Disrupts business operations
- Creates support tickets
- Damages reputation with recipients
Think of p=none as "observation mode"—you're watching and learning before acting.
The Problem with Staying at p=none
While p=none is a good start, it provides no protection:
No Spoofing Prevention
Attackers can still send email pretending to be your domain. Receivers will:
- See authentication failures in reports
- Deliver the spoofed email anyway
- Not protect your recipients
Compliance Issues
Some regulations and best practices require enforcement:
- PCI-DSS recommends DMARC enforcement
- Some industries require
p=quarantineorp=reject - Partner requirements may mandate enforcement
Lost Brand Trust
Recipients receiving spoofed email "from you" damage trust:
- Phishing attacks using your brand
- Spam from your domain
- Malware distribution
BIMI Incompatibility
BIMI logo display requires enforcement:
- Gmail requires
p=quarantineorp=reject - Apple Mail requires enforcement
- No VMC without enforcement
Understanding Your DMARC Reports
With p=none, you should be receiving DMARC aggregate reports. Analyze them for:
Sources Passing DMARC
These are legitimate—document them:
- Your primary email server
- Marketing platforms (Mailchimp, HubSpot, etc.)
- Transactional services (SendGrid, SES, etc.)
- CRM systems (Salesforce, etc.)
Sources Failing DMARC
Investigate each one:
- Legitimate but misconfigured: Fix authentication
- Forwarded email: Expected SPF failures
- Unauthorized/spoofing: Enforcement will block these
Transitioning to Enforcement
Collect and analyze reports
Review 2-4 weeks of DMARC reports to understand your email sources.
Document all legitimate senders
List every service that sends email as your domain.
Fix authentication for each sender
Configure SPF and DKIM for every legitimate source.
Move to p=quarantine with low pct
Start enforcing on a small percentage of failures.
Increase pct gradually
Raise the percentage as confidence grows.
Move to p=reject
Full enforcement once authentication is complete.
Using the pct Tag
The pct= tag lets you enforce on a percentage of messages:
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@example.com
This means:
- 10% of failing messages go to spam
- 90% of failing messages deliver normally
- You still get reports for all failures
Gradual Enforcement Example
| Week | Policy | Notes |
|---|---|---|
| 1-4 | `p=none` | Collect data, identify sources |
| 5-6 | `p=quarantine; pct=10` | Test enforcement on 10% |
| 7-8 | `p=quarantine; pct=25` | Increase if no issues |
| 9-10 | `p=quarantine; pct=50` | Monitor for problems |
| 11-12 | `p=quarantine; pct=100` | Full quarantine |
| 13+ | `p=reject` | Move to reject policy |
Example DMARC Records
Starting Point (Monitoring)
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Beginning Enforcement
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com
Full Quarantine
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
Full Rejection
v=DMARC1; p=reject; rua=mailto:dmarc@example.com
Common Reasons Domains Stay at p=none
"We'll get to it later"
Enforcement gets deprioritized. Set a deadline and stick to it.
"We're not sure we've found everything"
You never will be 100% sure. Use pct to test gradually.
"The reports are confusing"
Use DMARC report analysis tools to make sense of the data.
"We don't want to break anything"
That's why pct exists. Start small.
"We don't have time"
Spoofing attacks cost more time. Prioritize accordingly.
Monitoring After Enforcement
After moving beyond p=none:
Watch For
- Spike in report failures — Might indicate missed source
- User complaints — Legitimate email being quarantined
- Delivery drops — Check with major providers
Keep Reports Enabled
Even with p=reject, keep receiving reports:
v=DMARC1; p=reject; rua=mailto:dmarc@example.com
Regular Audits
Quarterly, verify:
- All sending sources still configured
- No new services need authentication
- Report volume is consistent
Don't assume "set and forget." Email infrastructure changes. Keep monitoring.
What About Subdomains?
The sp= tag controls subdomain policy:
v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com
This means:
example.comusesp=reject- Subdomains use
p=quarantine
If no sp= tag, subdomains inherit the p= policy.
When p=none Makes Sense
Legitimate reasons to stay at p=none:
- First 2-4 weeks — Initial data collection
- Major infrastructure changes — New email services
- Post-acquisition — Integrating new domains
- Debugging issues — Temporarily while fixing problems
But always have a plan to return to enforcement.
Check Your DMARC Policy
See your current DMARC policy and get recommendations for moving toward enforcement.
p=none is a starting point, not a destination. Use it to learn your email ecosystem, then progress to enforcement. Your domain, your brand, and your recipients all benefit from DMARC protection that actually protects.