Here's a pattern we see constantly: a business owner is told "you have DMARC, you're covered." Technically, a DMARC record exists in their DNS. But it reads:
v=DMARC1; p=none;
That record blocks nothing. p=none means: "if a message fails authentication for my domain, deliver it anyway — just send me a report." It's the monitoring mode. It exists so you can observe your mail flows before enforcing. It was never meant to be the destination.
What each policy actually instructs
| Policy | Instruction to receiving servers | Forged mail outcome |
|---|---|---|
p=none | Deliver everything; report failures | Lands in the inbox |
p=quarantine | Treat failures as suspicious | Lands in spam (still readable) |
p=reject | Refuse failures at the door | Never delivered |
Why so many domains are stuck at p=none
Moving to enforcement requires homework: every legitimate service that sends mail for your domain (your mail host, marketing platform, CRM, invoicing tool, e-signature service) must be correctly authorized in SPF and/or DKIM first. Skip that homework and enforcement will reject your own mail. So domains get parked at p=none "temporarily" — and stay there for years.
The honest middle step
p=quarantine is a legitimate stage in a rollout, not a final state. Spam folders get read. The destination that actually closes exact-domain spoofing is p=reject with verified SPF/DKIM alignment.
Where is your domain right now?
It takes 10 seconds to find out — the record is public DNS. Run the free scan and you'll see your exact policy, your score, and what's between you and enforcement.