High SeverityDMARC

Fix: DMARC Policy Set to None

Your DMARC record has the policy set to p=none, which means receiving servers will not take any action against emails that fail DMARC checks. This provides no protection against spoofing.

Quick Fix

Change your DMARC policy from `p=none` to `p=quarantine` or `p=reject` after monitoring reports.

What This Error Means

The p=none policy instructs receivers to deliver emails even if they fail DMARC authentication. The DMARC record is in monitoring mode only — it collects reports but does not protect against spoofing or phishing.

Why It Matters

With p=none, attackers can still send spoofed emails from your domain that will be delivered to inboxes. While p=none is a necessary first step for deploying DMARC safely, staying on it long-term leaves your domain unprotected.

Step-by-Step Fix

Review your DMARC aggregate reports

Before upgrading the policy, analyze your DMARC reports to understand what email is passing and failing authentication.

Example

dig +short TXT _dmarc.yourdomain.com
# Check current policy and reporting address

Ensure SPF and DKIM alignment

Make sure all legitimate email from your domain passes either SPF or DKIM alignment before enforcing a policy.

Upgrade to quarantine first

Move to p=quarantine as an intermediate step.

Before

v=DMARC1; p=none; rua=mailto:[email protected]

After

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=50

Upgrade to reject

After monitoring quarantine results and confirming no legitimate email is being caught, upgrade to p=reject for full protection.

Before

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=50

After

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]

Common Gotchas

Do not jump straight from p=none to p=reject without reviewing reports first. You may block legitimate email from third-party senders you forgot to authorize.
Email forwarding services (mailing lists, alias forwarding) often break SPF alignment. Make sure DKIM is set up so DMARC can pass via DKIM alignment.
Use the pct= tag to gradually roll out enforcement. Start with pct=10 or pct=50 to test with a subset of failing emails.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

How long should I stay on p=none before enforcing?

It depends on the complexity of your email setup. For simple setups, a few weeks may be enough. For complex setups with multiple third-party senders, 2-4 weeks of report analysis is recommended.

What is the difference between quarantine and reject?

With p=quarantine, failing emails are typically sent to the recipient's spam folder. With p=reject, failing emails are outright rejected and never delivered.

Will upgrading my DMARC policy break email forwarding?

It can. Email forwarding often breaks SPF because the forwarding server's IP is not in your SPF record. Ensure DKIM is properly configured so that forwarded emails can pass DMARC via DKIM alignment.