DMARC p=none is not protecting your domain: when to upgrade

p=none is the right place to start with DMARC. It is not the right place to stay.

Most teams add a DMARC record, see it show as passing, and move on. But p=none means receiving servers do nothing when authentication fails. They log it, maybe send you a report, and deliver the email anyway. Someone spoofing your domain while you are on p=none has a clear path to your recipients' inboxes.

What the policy tag controls

The p= tag tells receiving servers what to do with emails that fail DMARC evaluation:

• p=none: no action, monitor and report only
• p=quarantine: deliver to spam or junk folder
• p=reject: refuse delivery entirely

None of these affect emails that pass DMARC. The policy only kicks in on failures.

When to upgrade

Before moving off p=none, you need confidence that SPF and DKIM are passing for all your legitimate sending streams:

1. You have been on p=none for at least two to four weeks and are receiving aggregate reports
2. The reports show no legitimate sources failing authentication
3. DKIM is enabled for every service that sends on your behalf

Skip this and go straight to p=reject and you risk blocking your own email.

The safe upgrade path

Do not jump straight to p=reject. Use the pct tag to roll out gradually:

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com

pct=10 applies the quarantine policy to only 10% of failing emails. Monitor your reports for a week or two. If no legitimate email is affected, increase to pct=50, then pct=100. Move to p=reject when you are confident nothing legitimate is failing.

Check your current setup

dig TXT _dmarc.yourdomain.com

Or run a full scan at InboxGreen, which shows your current policy, pct value, and alignment settings in one view.

For the full guide with rollout steps and common mistakes: DMARC p=none upgrade guide