Skip to main content
Vantyris

Email

DMARC p=none does not stop phishing. Here's what to do instead.

Published 2026-04-01 · Last updated 2026-04-01 · Vantyris editorial

If your domain's DMARC record sets `p=none`, your DMARC policy is in monitor-only mode. Receiving mail servers will accept impersonated email from your domain and only send you reports about it. That's useful for the first month while you read the reports, but every week beyond that is a week you've left the front door open. Here's what p=none actually does, when to move on, and the exact change to make.

What this means for your business

How to fix

Once your DMARC aggregate reports are clean (no legitimate mail failing), change the TXT record from p=none to p=quarantine. Stay there for another month, confirm nothing broke, then move to p=reject.

  1. Read your DMARC aggregate reports. Set up a free DMARC aggregator (Postmark, Dmarcian's free tier, or Easydmarc) and pipe your `rua=` reports there for 2-4 weeks. Confirm every sender that appears in the report is legitimate (your transactional ESP, your newsletter tool, your accountant's CRM if it sends in your name). Make sure each one is SPF-authorised and DKIM-signed.
  2. Change the DMARC TXT record. At your DNS provider, edit the existing TXT record at `_dmarc.<yourdomain>`. Change `p=none` to `p=quarantine`. Keep `rua=` so reports keep flowing. Example: `v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100`.
  3. Wait 30 days, confirm no legitimate mail broke. Watch the aggregate reports. If a third-party sender shows up failing alignment, fix that sender's SPF or DKIM. Don't move to p=reject until everything in the report is either authenticated or known-junk.
  4. Move to p=reject. Final step. Edit the record again, change `p=quarantine` to `p=reject`. Now any unauthenticated mail claiming to be from your domain is bounced outright. You've closed the impersonation hole.

Owner: Your DNS administrator. Most domain registrars have a DNS panel; your web host's support team will know. · Time: 10 minutes per DNS edit; 4-8 weeks of monitoring between edits.

Common gotchas

How to verify the fix

Use Vantyris's free teaser scan to confirm the new record is published and parses cleanly. Or use any DMARC checker: paste your domain into mxtoolbox.com/dmarc.aspx and confirm the policy reads `quarantine` or `reject`. After a week, your aggregate reports should show >99% authenticated mail.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

Will moving from p=none break my email?

It can, if you have a sender that isn't authenticated. That's why you stay on quarantine for a month first. The legitimate mail will land in spam folders rather than disappearing, which is recoverable.

What's the difference between SPF and DMARC?

SPF lists which servers are allowed to send for your domain. DMARC tells receiving servers what to do when SPF or DKIM fails. SPF without DMARC enforcement is observation without consequence.

Do I need DKIM as well?

Yes. DMARC requires either SPF or DKIM to pass and align. Most providers (Google Workspace, Microsoft 365, transactional ESPs) set DKIM up automatically; you just need to verify it's running on each sender.

What's pct=100?

It applies the policy to 100% of mail. You can dial it down during the move (pct=10 means quarantine just 10% while you watch) but most small senders go straight to 100.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0