Defaults.Exposed › Reports
You Set DMARC to p=none — Here's Why You're Still Exposed (2026)
Published 2026-06-29
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. “Enforcing” means a DMARC policy of
quarantineorreject. See how we grade.
Part of the DMARC pillar — DMARC adoption, maturity and league tables, measured across the whole census.
If your DMARC record says p=none, your domain can still be impersonated — the record is monitoring, not protecting. This is the most common false-security trap in email: p=none looks like DMARC is “done,” passes a casual compliance check, and does nothing to stop a forgery. As of 2026-06-29, 14.29% of all domains sit at p=none — actually more than the 10.59% that reach an enforcing policy.
What p=none actually does
DMARC has three policies, and only two of them protect you:
p=none— “monitor only.” Tells receiving mail servers to report on forged mail but deliver it anyway. No protection. 14.29% of domains.p=quarantine— send failing mail to spam.p=reject— refuse failing mail outright.
p=none exists for a reason: it’s the safe first step, where you collect reports and confirm your legitimate mail passes before you turn on enforcement. The trap is stopping there. A domain parked at p=none indefinitely is, from an attacker’s point of view, identical to a domain with no DMARC at all — the forged email still lands in the inbox.
The numbers show most domains stop too early
| DMARC state | Share of domains | Protected? |
|---|---|---|
| No DMARC record | 75.11% | No |
p=none (monitor only) | 14.29% | No — the trap |
Enforcing (quarantine/reject) | 10.59% | Yes |
Put together, 89.41% of domains can be impersonated — and a big slice of those have a DMARC record, just not an enforcing one. They did the hard part and stopped one step short of the protection.
How to get from p=none to protected
You don’t jump straight to reject. The safe path, once your reports show legitimate mail passing:
- Confirm alignment at
p=none— check the DMARC reports show your real senders (SPF/DKIM) passing. - Move to
p=quarantine— failing mail goes to spam. Watch for a week or two. - Move to
p=reject— failing mail is refused. This is the setting that actually stops impersonation.
It’s a deliberate progression, not a one-time switch — but the destination is enforcement. See how to fix DMARC.
Frequently asked questions
Does p=none stop email spoofing?
No. p=none only monitors — receiving servers still deliver forged mail. Only p=quarantine or p=reject stops impersonation. 14.29% of domains are stuck at p=none.
Is p=none better than no DMARC? Only for you, as a temporary step to gather reports. For protection against impersonation, it’s equivalent to having none — the forgery still gets through.
How long should I stay at p=none?
Just long enough to confirm your legitimate mail passes — typically a few weeks — then move to quarantine and reject. Indefinite p=none is the trap.
How do I know if I’m enforcing? Check your domain (below) — it reads your actual policy and tells you whether it’s enforcing, monitor-only, or absent.
Check whether your DMARC actually protects you
p=none is a checkpoint, not a destination. Check your domain free and private — see your real policy and the path to enforcement.
Check your domain → · Fix DMARC → · Can someone spoof your domain? → · Aggregate data only. Data stored and processed in the EU.