You have probably seen this message:


"This Warning indicates that the DMARC record for this domain is not currently protected against phishing and spoofing threats. To resolve this Warning you will need to set a Quarantine or Reject policy on the domain's DMARC record. Setting a Quarantine or Reject value will prevent fraudsters from spoofing the domain as mail servers will Quarantine or Reject messages that fail authentication tests."


What does it mean?


The DMARC policy v=DMARC1; p=none; is considered "not protected" because the p=none policy doesn't actually block or quarantine emails that fail DMARC authentication - it only monitors them.

Here's what the different DMARC policies mean:

  • p=none - Monitor only. Failed emails are delivered normally, but reports are generated
  • p=quarantine - Failed emails go to spam/junk folder
  • p=reject - Failed emails are completely blocked and not delivered

When security scanners or email services report that p=none isn't protected, they're pointing out that while you're collecting data about email authentication failures, you're not taking any enforcement action against spoofed emails. Bad actors can still successfully send emails that appear to come from your domain.

The p=none policy is typically used as a first step when implementing DMARC - it lets you monitor your email ecosystem and identify legitimate sources before moving to stricter policies. Once you've analyzed the reports and ensured all legitimate email sources are properly authenticated with SPF and DKIM, you can upgrade to p=quarantine or p=reject for actual protection.


So these services are technically correct - p=none provides visibility but not protection against domain spoofing.


Your job is to review your reports, find the unaligned or unidentified sending sources and follow the instructions to fix the issues.