DNS / email · Check

DMARC policy=none — moving from monitoring to enforcement

A DMARC policy of `p=none` is a monitoring-only mode: receiving servers send you reports about messages that fail SPF/DKIM alignment, but they still deliver the failures. That's fine as a learning phase — it lets you find your own legitimate senders before they get blocked — but staying on `p=none` indefinitely means forged mail in your name still reaches inboxes.

Why it matters

Once aggregate reports (the `rua=` mailbox) confirm your legitimate senders are passing alignment, move to `p=quarantine` (sends failures to spam) and then `p=reject` (blocks them outright). Most domains complete this progression in 30–90 days.

Real-world risk

p=none only collects reports; forged mail can still be delivered while you learn, leaving users exposed if you never tighten policy.

Fix steps (in order)

After reviewing aggregate reports, move to p=quarantine then p=reject when confident.

Topic explainer

DMARC, SPF, and DKIM explained: the email authentication trio →

A practical guide to email authentication: what SPF, DKIM, and DMARC each do, why all three are needed, and how to roll out a DMARC policy that actually blocks spoofed mail.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (dns_dmarc_policy_none) clears once the externally-observable signal is in place.

Run a free scan Methodology