You have probably seen this message:
"This Warning indicates that the DMARC record for this domain is not currently protected against phishing and spoofing threats. To resolve this Warning you will need to set a Quarantine or Reject policy on the domain's DMARC record. Setting a Quarantine or Reject value will prevent fraudsters from spoofing the domain as mail servers will Quarantine or Reject messages that fail authentication tests."
What does it mean?
The DMARC policy v=DMARC1; p=none;
is considered "not protected" because the p=none
policy doesn't actually block or quarantine emails that fail DMARC authentication - it only monitors them.
Here's what the different DMARC policies mean:
p=none
- Monitor only. Failed emails are delivered normally, but reports are generatedp=quarantine
- Failed emails go to spam/junk folderp=reject
- Failed emails are completely blocked and not delivered
When security scanners or email services report that p=none
isn't protected, they're pointing out that while you're collecting data about email authentication failures, you're not taking any enforcement action against spoofed emails. Bad actors can still successfully send emails that appear to come from your domain.
The p=none
policy is typically used as a first step when implementing DMARC - it lets you monitor your email ecosystem and identify legitimate sources before moving to stricter policies. Once you've analyzed the reports and ensured all legitimate email sources are properly authenticated with SPF and DKIM, you can upgrade to p=quarantine
or p=reject
for actual protection.
So these services are technically correct - p=none
provides visibility but not protection against domain spoofing.
Your job is to review your reports, find the unaligned or unidentified sending sources and follow the instructions to fix the issues.