On a compliance checklist, "we have DMARC" is a checkbox, and by that standard the ecosystem looks healthy: as of the 2026-07-05 snapshot of our daily email infrastructure report, 459,124 domains in the Tranco top-1M publish a DMARC record. But DMARC is not one control — it is a policy dial, and the dial position is what matters. 234,559 of those records, 51%, sit at p=none: full monitoring, zero enforcement. A spoofed message that fails every authentication check is still delivered exactly as if DMARC did not exist.
For a security or IT administrator, that gap between "deployed" and "enforcing" is the single most common finding in an email hardening review. This article covers what p=none actually does, why so many domains park there indefinitely, what an attacker reads into it, and the staged path out.
What p=none actually promises
A minimal monitoring-mode record looks like this:
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"The p=none tag instructs receivers to take no action on messages that fail DMARC evaluation — deliver them normally — while the rua= address collects aggregate reports about who is sending as your domain. That design is deliberate and genuinely good: it lets an organisation discover every legitimate sending source (marketing platforms, CRMs, ticketing systems, that one server in a subsidiary nobody documented) before any enforcement can break them.
The illusion begins when the phase becomes the destination. Monitoring mode produces reports; someone has to read them, reconcile the sources, fix alignment, and then move the dial. In practice the project that deployed the record ends, the reports pile up unread, and the domain stays at none for years — visibly, publicly, and to no protective effect.
The numbers: a majority parked in monitoring mode
Our scan parses every DMARC record in the top million daily. The policy split as of the 2026-07-05 snapshot: 234,559 domains at p=none, against 114,824 at p=quarantine and 114,390 at p=reject. Counting quarantine and reject with full coverage as enforced, 47.16% of DMARC-publishing domains actually enforce — a minority, though a growing one.
The trend line explains why the none population is so large. The Google/Yahoo bulk-sender requirements announced for February 2024 obliged high-volume senders to publish at least a minimal DMARC record — and p=none satisfies the letter of that requirement. The mandate produced a wave of brand-new monitoring-mode records: compliance-driven deployment, not security-driven enforcement. The full dynamics are in our State of DMARC 2026 deep dive.
What an attacker reads in your policy
DMARC policies are public by design — receivers must be able to query them, so anyone can. From an attacker's viewpoint, dig TXT _dmarc.victim.com is free reconnaissance that answers one question precisely: if I spoof this exact domain, will the message be delivered?
p=reject— direct spoofing of the apex is dead on arrival at any enforcing receiver. The attacker moves to lookalike domains or display-name tricks instead.p=quarantine— spoofed mail lands in spam folders. Degraded, but a fraction of targets still open their junk folder.p=none— spoofed mail is delivered on authentication merits alone. The domain has announced, in a public record, that exact-domain impersonation carries no DMARC penalty. For phishing that targets your own employees, vendors, or customers with your own domain in the From header, this is the green light.
A long-lived p=none record is not neutral. It signals that the organisation started an email authentication project and stopped halfway — which is also a soft indicator about how other half-finished controls might look inside.
Leaving p=none without breaking your own mail
The reason so many domains never leave monitoring mode is fear of breaking legitimate mail — a reasonable fear with an engineered answer. DMARC includes a percentage tag precisely for staged rollout:
- Spend 4–8 weeks at p=none reading reports. Inventory every source that sends as your domain; fix SPF alignment and DKIM signing for each legitimate one.
- Step to quarantine gradually:
p=quarantine; pct=10, then 25, 50, 100 — watching reports at each step. Only a tenth of failing mail is quarantined at first, so a missed sender surfaces as a contained incident, not an outage. - Repeat the ramp to p=reject. Reject with
pct=100is the end state — and note that quarantine-forever has become its own plateau, as we cover in the quarantine-versus-reject crossover analysis. - Mind the subdomains. Enforcement at the apex says nothing about explicitly weakened subdomain policy — check your
sp=tag before declaring victory.
None of this is exotic; 47.16% of DMARC-publishing domains in the top million have already completed the journey, and the absolute enforcement counts have grown every year in our data. The daily policy split, along with the full time series, is published in machine-readable form at api/latest.json if you want to benchmark your sector or track your own domain's cohort.