DMARC p=none does not stop phishing. Here's what to do instead.
Published 2026-04-01 · Last updated 2026-04-01 · Vantyris editorial
If your domain's DMARC record sets `p=none`, your DMARC policy is in monitor-only mode. Receiving mail servers will accept impersonated email from your domain and only send you reports about it. That's useful for the first month while you read the reports, but every week beyond that is a week you've left the front door open. Here's what p=none actually does, when to move on, and the exact change to make.
What this means for your business
- Anyone can send email from your domain to a Gmail or Outlook recipient and it will land in their inbox looking legitimate. Your customers can be phished through your domain right now.
- DMARC p=none was designed as a staging mode: you publish it for 4 to 8 weeks while you collect aggregate reports and confirm none of your own legitimate mail (newsletters, transactional, third-party senders) is failing SPF or DKIM. After that period, you graduate to p=quarantine and eventually p=reject.
- If you've been on p=none for more than 90 days, you almost certainly should have moved on. Most owners get stuck on p=none because nobody monitored the aggregate reports and they were nervous about breaking legitimate mail.
How to fix
Once your DMARC aggregate reports are clean (no legitimate mail failing), change the TXT record from p=none to p=quarantine. Stay there for another month, confirm nothing broke, then move to p=reject.
- Read your DMARC aggregate reports. Set up a free DMARC aggregator (Postmark, Dmarcian's free tier, or Easydmarc) and pipe your `rua=` reports there for 2-4 weeks. Confirm every sender that appears in the report is legitimate (your transactional ESP, your newsletter tool, your accountant's CRM if it sends in your name). Make sure each one is SPF-authorised and DKIM-signed.
- Change the DMARC TXT record. At your DNS provider, edit the existing TXT record at `_dmarc.<yourdomain>`. Change `p=none` to `p=quarantine`. Keep `rua=` so reports keep flowing. Example: `v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100`.
- Wait 30 days, confirm no legitimate mail broke. Watch the aggregate reports. If a third-party sender shows up failing alignment, fix that sender's SPF or DKIM. Don't move to p=reject until everything in the report is either authenticated or known-junk.
- Move to p=reject. Final step. Edit the record again, change `p=quarantine` to `p=reject`. Now any unauthenticated mail claiming to be from your domain is bounced outright. You've closed the impersonation hole.
Owner: Your DNS administrator. Most domain registrars have a DNS panel; your web host's support team will know. · Time: 10 minutes per DNS edit; 4-8 weeks of monitoring between edits.
Common gotchas
- Don't skip the monitoring period. Going straight from p=none to p=reject can break legitimate mail and you'll get blame-emails from people whose receipts vanished.
- Make sure you have `rua=mailto:` set to a real address you check. Without aggregate reports, you're flying blind.
- Don't set the SPF record to `~all` and call it good. SPF alone doesn't protect against impersonation; DMARC is what enforces.
How to verify the fix
Use Vantyris's free teaser scan to confirm the new record is published and parses cleanly. Or use any DMARC checker: paste your domain into mxtoolbox.com/dmarc.aspx and confirm the policy reads `quarantine` or `reject`. After a week, your aggregate reports should show >99% authenticated mail.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A1. Firewalls — boundary protection between the internet and your services.
- A2. Secure configuration — devices and services hardened against the inherent default vulnerabilities.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
Will moving from p=none break my email?
It can, if you have a sender that isn't authenticated. That's why you stay on quarantine for a month first. The legitimate mail will land in spam folders rather than disappearing, which is recoverable.
What's the difference between SPF and DMARC?
SPF lists which servers are allowed to send for your domain. DMARC tells receiving servers what to do when SPF or DKIM fails. SPF without DMARC enforcement is observation without consequence.
Do I need DKIM as well?
Yes. DMARC requires either SPF or DKIM to pass and align. Most providers (Google Workspace, Microsoft 365, transactional ESPs) set DKIM up automatically; you just need to verify it's running on each sender.
What's pct=100?
It applies the policy to 100% of mail. You can dial it down during the move (pct=10 means quarantine just 10% while you watch) but most small senders go straight to 100.
References
- NCSC: email security and anti-spoofing NCSC
- RFC 7489 — DMARC IETF RFC
- RFC 7489 §6.3 — DMARC policy actions IETF RFC
Related explainers
- SPF records, explained: the first line of defence against email spoofing.
- What is DMARC, and why every business with a domain needs one.
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0