A DMARC record with p=none watches your mail and protects none of it. This is the staged path from monitoring to enforcement — and how to get there without burying your own legitimate email.
DMARC p=none is "monitor only — take no action." Mail that fails authentication still gets delivered. Spoofed mail in your name still gets delivered. The only thing p=none does is collect reports. It is a measurement setting, not a protection setting.
That distinction matters because "we have DMARC" feels like a finished job. It isn't. Having a DMARC record at p=none is like installing a security camera that records everyone walking through an unlocked door. You get footage. You stop nobody. To actually stop spoofing and meet inbox-provider requirements, you have to advance the policy to p=quarantine and then p=reject.
In June 2026 we ran live DNS-over-HTTPS authentication checks — SPF, DKIM, DMARC, and MX — on 130 real B2B companies. The DMARC picture was the clearest failure pattern in the whole dataset.
p=none — unenforcedSo nearly four in ten domains did the hard part — they published a valid DMARC record — and then stopped one step short of it doing anything. The reason is almost always the same story:
p=none on purpose. That is correct. You start at none to collect rua reports and learn who sends mail as your domain.p=none never breaks anything — that is the whole point of it. With no forcing function, the policy sits at none indefinitely.p=none is a starting line that a lot of teams mistake for a finish line. The fix is not technical difficulty. It is finishing the staged rollout you already started.
DMARC is designed to be advanced in stages so you can watch the impact before you enforce. Each p value is an instruction to receiving servers about what to do when a message fails to align with SPF or DKIM.
p=none (watch, ~2 weeks)Publish the record with p=none and a rua address, then actually read the aggregate reports. They arrive as daily XML showing every source sending mail as your domain and whether it passed SPF and DKIM alignment. Roughly two weeks covers your normal sending rhythm — your ESP, your CRM, your invoicing tool, your help desk. Your job here is to confirm every legitimate sender is authenticated and aligned, and to spot anything you don't recognise.
p=quarantine (enforce softly)Once the reports are clean and every real sender passes, move to p=quarantine. Now mail that fails DMARC is sent to spam instead of the inbox. This is real enforcement with a safety net: if you missed a sender, its mail goes to junk rather than vanishing. Many teams add pct to ramp gradually, but if your reports are genuinely clean you can go straight to pct=100.
p=reject (full enforcement)After a clean stretch at quarantine with no surprises in the reports, advance to p=reject. Failing mail is now bounced outright — it never reaches the recipient, not even the spam folder. This is the only policy that genuinely stops someone from spoofing your domain, and it is the bar that Google and Yahoo's 2024 bulk-sender rules effectively expect serious senders to clear.
Your DMARC record is a single TXT record at _dmarc.yourdomain.com. Here is a solid quarantine-stage record — the one most domains should be running once their reports are clean:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100; aspf=r; adkim=r
Reading it tag by tag:
v=DMARC1 — the version. Required, always first.p=quarantine — the policy. Start at none, then move this to quarantine, then reject.rua=mailto:dmarc@yourdomain.com — where aggregate reports are sent. Use a real, monitored mailbox.pct=100 — apply the policy to 100% of failing mail. Lower it to ramp gradually if you want.aspf=r and adkim=r — relaxed alignment for SPF and DKIM. Relaxed lets subdomains align with the parent, which is what most senders need. Switch to s (strict) only when you have a specific reason.To start the process, publish the same record with p=none first, collect reports for about two weeks, then change none to quarantine. The record stays otherwise identical — you are only stepping the policy up.
Do not jump to p=quarantine or p=reject before SPF and DKIM are aligned for every legitimate sender. If you enforce while a real sending source — your CRM, a newsletter platform, a billing system — is failing alignment, you will silently quarantine or bounce your own mail. The damage is invisible: nothing errors, your messages just stop arriving. This is exactly why the none stage and its rua reports exist. Read them, fix every failing legitimate source, and only then enforce.
This is the trap that makes some teams afraid to ever leave p=none — they heard enforcement can break mail, so they freeze. But staying at none forever is not safety. It is leaving your domain spoofable and falling short of what inbox providers now expect. The correct response to the risk is the staged rollout, not permanent paralysis.
Before you touch anything, confirm what your domain publishes today. SPF authorizes your sending IPs in a TXT record at the apex. DKIM signs your mail with a key at selector._domainkey. DMARC ties them together at _dmarc and decides what happens on failure. If your DMARC says p=none, you are in the ~37% — published but unenforced.
Our free tool at /outbound-check/ runs these same live checks and returns an A–F grade in about 60 seconds, no signup. The full dataset and methodology behind the numbers above live in the 2026 benchmark.
We run B2B outbound end to end — domains, authentication, sending infrastructure, and the campaigns on top of them — so problems like a stalled p=none policy never quietly cost you replies. We get paid only when we book qualified conversations, tracked on a public ledger. No retainer for setup theatre, no pressure. If you just want your own DMARC fixed, the guide above and the free check will get you most of the way without us.
Type your domain and get an instant A–F grade on SPF, DKIM, DMARC, and MX — the same live checks we run for clients. No signup.
Run the Outbound Reality Check →No. p=none tells receivers to take no action when mail fails DMARC, so spoofed mail is still delivered. It only collects reports — it enforces nothing.
About two weeks of clean rua reports is usually enough to see every legitimate sender. The point of p=none is to watch, then move on — not to live there.
No. Go none, then quarantine, then reject. Jumping to enforcement before SPF and DKIM are aligned for every legitimate sender can silently bury your own mail.
rua is the address that receives daily aggregate XML reports showing which sources sent mail as your domain and whether they passed SPF and DKIM alignment. It is how you find unauthorized and misconfigured senders before enforcing.