DMARC p=none: What It Means and What to Do Next
p=none is a monitoring-only policy: it collects DMARC reports but does not block or quarantine any mail. Your next step is to read those reports, fix every misaligned sender, and move to p=quarantine once your aligned percentage holds above 95% for two or more consecutive weeks.
What p=none means
p=none puts DMARC into monitoring mode. Mail that fails authentication is still delivered to the inbox. Nothing is blocked, nothing is quarantined, nothing bounces. The only thing that happens is receivers send you aggregate reports showing which senders passed and which failed.
This is intentional. The point is to collect signal before you enforce anything.
What p=none does not do: it does not protect your domain from being spoofed. Someone could send phishing mail pretending to be you right now, and p=none means receivers will deliver it. Your reporting address gets a note about it. The recipient gets the email.
The actual risk of staying at p=none too long
Most domains stay at p=none far longer than necessary, often indefinitely, because it feels safe. It isn't.
p=none means your domain has no enforcement. If a threat actor is spoofing your domain at scale, your DMARC record is providing zero protection. You're just watching.
That said, moving too fast is also a real risk. If you have legitimate senders that aren't aligned (a transactional ESP that wasn't configured correctly, a CRM sending mail under your domain without DKIM), moving to p=quarantine means their mail goes to spam immediately.
The goal is to move deliberately, not slowly.
What to look for before you move
Before you tighten your policy, your reports need to show three things:
1. All your known senders are aligned
Every service you use to send mail (Google Workspace, your ESP, your CRM, any automated notifications) should be showing up in your reports with at least one of DKIM or SPF passing. If a sender you recognize is consistently failing alignment, fix that first.
2. No high-volume unrecognized senders
Scan your source IPs. If you see an IP you don't recognize sending significant volume (more than a handful of messages over multiple days), investigate before moving. It could be a service you forgot about, or it could be spoofing.
3. Your aligned percentage is consistently above 95%
Add up all your passing messages across all sources. If you're below 95%, you have senders to fix. Above 95% for two or more weeks is the signal that you're ready to move. Use the DMARC analyzer to pull this out of your reports.
When you're ready to move to p=quarantine
Move when:
- All recognized senders are passing alignment (DKIM or SPF) consistently
- You've reviewed every source IP and can account for each one
- Your aligned percentage has been above 95% for at least two weeks of reports
- You haven't added any new email services in the last 30 days (or if you have, they're verified as aligned)
Move to p=quarantine first, not straight to p=reject. Quarantine means failing mail routes to spam; receivers still accept it, so you can catch legitimate senders you missed. Stay there for at least a month, watch your reports for any drop in alignment from sources you recognize, and only then move to p=reject. For the complete stage-by-stage view of this progression, see the DMARC enforcement roadmap.
For the full transition guide (including what to actually change in your DNS record), see p=reject vs p=quarantine: which policy is right for you.
FAQ
For your deliverability: yes. Nothing about p=none harms your email delivery; it's purely a monitoring policy. For your domain's protection against spoofing: no. p=none means any mail failing authentication is still delivered. Your domain can be impersonated and receivers won't stop it. "Safe to start with" and "safe to stay at forever" are two different things.
Long enough to see consistent alignment across your sending sources, typically 2 to 4 weeks of reports if your setup is straightforward. If you have multiple ESPs or a complex sending infrastructure, it might take longer to track down every misaligned sender. The signal to move is your aligned percentage, not a fixed timer. Above 95% for two or more consecutive weeks is the threshold.
Legitimate mail from senders you didn't fully configure will route to spam. Common examples: a transactional ESP that's sending under your domain without DKIM, a helpdesk tool that uses your domain in the From address but isn't in your SPF record, or an automated notification system you set up and forgot about. This is why you review your reports first: every unaligned sender that you recognize is a sender to fix before you move the policy.
