DMARC glossary
What does p=none mean in a DMARC record?

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
p=none is the DMARC policy that tells receiving mail servers to take no action on messages that fail authentication — only report them. It puts DMARC in monitor-only mode: you get visibility into who is sending as your domain, but spoofed email is still delivered. It's the safe place to start, not the place to stay.
p=none at a glance | |
|---|---|
| Tag | p (policy) |
| Valid values | none · quarantine · reject |
| Default | Required — every DMARC record must set a p value; there is no default. |
| Where it goes | Immediately after v=DMARC1, e.g. v=DMARC1; p=none; |
How p=none works
The p tag is the heart of a DMARC record. It tells the world's mail servers what to do with a message that claims to be from your domain but fails both SPF and DKIM alignment. p=none is the most permissive of the three settings: do nothing, deliver as normal, but send me a report.
That reporting is the whole point of none. Paired with a rua= address, it feeds you daily reports of every source sending as your domain — your own servers, your CRM, your invoicing tool, and anyone spoofing you. You use that data to authorise every legitimate sender before you tighten the policy.
The catch: while you're on none, nothing is actually protected. A criminal can still spoof your domain and land in the inbox. none is a listening post, not a lock. The goal is always to graduate to quarantine and then reject once the reports confirm your legitimate mail will survive.
Step 1
p=noneMonitor
Failing mail is still delivered — you only collect reports.
Step 2
p=quarantineContain
Failing mail is diverted to the spam or junk folder.
Step 3
p=rejectBlock
Failing mail is refused outright and never arrives.
Correct record vs common mistake
Correct
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.comMonitor-only, with a reporting address — so you actually collect the data that makes p=none worth running.
Common mistake
v=DMARC1; p=noneNo rua= address means no reports. You get all the exposure of p=none and none of the visibility — the worst of both.
Generate your DMARC record
Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.
Used to show the exact host name to publish — the record itself doesn't contain it.
Start at none to observe, then tighten once reports look clean.
Where daily XML summaries are sent. Comma-separate multiple addresses.
Advanced options (sp, alignment, pct, ruf)
Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.
Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.
Same idea for the SPF (Return-Path) domain.
Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.
Per-message failure samples. Rarely sent by large providers; contains message data.
Your DMARC record
Publish this as a TXT record in your DNS.
_dmarc.yourdomain.com
v=DMARC1; p=none;
Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.
After you publish
- Add the TXT record at your DNS host and allow up to an hour for propagation.
- Verify it with the free DMARC checker.
- Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.
Troubleshooting p=none
| Issue | Likely cause | Fix |
|---|---|---|
| No reports arriving | Missing or mistyped rua= address, or the report mailbox rejects large XML attachments | Add a valid rua= mailto: address and confirm the mailbox accepts mail from any sender |
| Reports show unknown sending sources | Shadow IT (a SaaS tool sending as the domain) — or someone spoofing it | Authorise legitimate sources in SPF/DKIM; anything you can't identify is a reason to move off none |
| Domain parked at p=none for months | No owner for the rollout, or fear of breaking mail | Confirm all senders pass in the reports, then step to quarantine — none was never meant to be permanent |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
Across a client base, p=none is the silent-risk state. A domain parked here looks “DMARC-enabled” on an audit checklist but is still fully spoofable. Multiply that by every tenant you manage and “we have DMARC” can quietly mean “none of our clients are actually protected.”
Trusted by MSPs
“We increased our meetings booked by 21% and slept better at night knowing our emails are now secured”
Marc-André Campagna — CEO, gaiia (YC 2021)Read the case study →

































Enforce it — don't just monitor it
p=none means you're only watching, not protected. Palisade reads the reports for you and safely walks every client domain from none to reject — automatically, without breaking a single legitimate sender.
Free 15-day trial · No credit card · Your own domain free forever (NFR)