Defaults.Exposed

Defaults.Exposed › Reports

You Set DMARC to p=none — Here's Why You're Still Exposed (2026)

Published 2026-06-29

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. “Enforcing” means a DMARC policy of quarantine or reject. See how we grade.

Part of the DMARC pillar — DMARC adoption, maturity and league tables, measured across the whole census.

If your DMARC record says p=none, your domain can still be impersonated — the record is monitoring, not protecting. This is the most common false-security trap in email: p=none looks like DMARC is “done,” passes a casual compliance check, and does nothing to stop a forgery. As of 2026-06-29, 14.29% of all domains sit at p=none — actually more than the 10.59% that reach an enforcing policy.

What p=none actually does

DMARC has three policies, and only two of them protect you:

p=none exists for a reason: it’s the safe first step, where you collect reports and confirm your legitimate mail passes before you turn on enforcement. The trap is stopping there. A domain parked at p=none indefinitely is, from an attacker’s point of view, identical to a domain with no DMARC at all — the forged email still lands in the inbox.

The numbers show most domains stop too early

DMARC stateShare of domainsProtected?
No DMARC record75.11%No
p=none (monitor only)14.29%No — the trap
Enforcing (quarantine/reject)10.59%Yes

Put together, 89.41% of domains can be impersonated — and a big slice of those have a DMARC record, just not an enforcing one. They did the hard part and stopped one step short of the protection.

How to get from p=none to protected

You don’t jump straight to reject. The safe path, once your reports show legitimate mail passing:

  1. Confirm alignment at p=none — check the DMARC reports show your real senders (SPF/DKIM) passing.
  2. Move to p=quarantine — failing mail goes to spam. Watch for a week or two.
  3. Move to p=reject — failing mail is refused. This is the setting that actually stops impersonation.

It’s a deliberate progression, not a one-time switch — but the destination is enforcement. See how to fix DMARC.

Frequently asked questions

Does p=none stop email spoofing? No. p=none only monitors — receiving servers still deliver forged mail. Only p=quarantine or p=reject stops impersonation. 14.29% of domains are stuck at p=none.

Is p=none better than no DMARC? Only for you, as a temporary step to gather reports. For protection against impersonation, it’s equivalent to having none — the forgery still gets through.

How long should I stay at p=none? Just long enough to confirm your legitimate mail passes — typically a few weeks — then move to quarantine and reject. Indefinite p=none is the trap.

How do I know if I’m enforcing? Check your domain (below) — it reads your actual policy and tells you whether it’s enforcing, monitor-only, or absent.

Check whether your DMARC actually protects you

p=none is a checkpoint, not a destination. Check your domain free and private — see your real policy and the path to enforcement.

Check your domain → · Fix DMARC → · Can someone spoof your domain? → · Aggregate data only. Data stored and processed in the EU.