Here's a pattern we see constantly: a business owner is told "you have DMARC, you're covered." Technically, a DMARC record exists in their DNS. But it reads:

v=DMARC1; p=none;

That record blocks nothing. p=none means: "if a message fails authentication for my domain, deliver it anyway — just send me a report." It's the monitoring mode. It exists so you can observe your mail flows before enforcing. It was never meant to be the destination.

What each policy actually instructs

PolicyInstruction to receiving serversForged mail outcome
p=noneDeliver everything; report failuresLands in the inbox
p=quarantineTreat failures as suspiciousLands in spam (still readable)
p=rejectRefuse failures at the doorNever delivered

Why so many domains are stuck at p=none

Moving to enforcement requires homework: every legitimate service that sends mail for your domain (your mail host, marketing platform, CRM, invoicing tool, e-signature service) must be correctly authorized in SPF and/or DKIM first. Skip that homework and enforcement will reject your own mail. So domains get parked at p=none "temporarily" — and stay there for years.

The honest middle step

p=quarantine is a legitimate stage in a rollout, not a final state. Spam folders get read. The destination that actually closes exact-domain spoofing is p=reject with verified SPF/DKIM alignment.

Where is your domain right now?

It takes 10 seconds to find out — the record is public DNS. Run the free scan and you'll see your exact policy, your score, and what's between you and enforcement.