DMARC glossary

What does p=none mean in a DMARC record?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

p=none is the DMARC policy that tells receiving mail servers to take no action on messages that fail authentication — only report them. It puts DMARC in monitor-only mode: you get visibility into who is sending as your domain, but spoofed email is still delivered. It's the safe place to start, not the place to stay.

p=none at a glance
Tagp (policy)
Valid valuesnone · quarantine · reject
DefaultRequired — every DMARC record must set a p value; there is no default.
Where it goesImmediately after v=DMARC1, e.g. v=DMARC1; p=none;

How p=none works

The p tag is the heart of a DMARC record. It tells the world's mail servers what to do with a message that claims to be from your domain but fails both SPF and DKIM alignment. p=none is the most permissive of the three settings: do nothing, deliver as normal, but send me a report.

That reporting is the whole point of none. Paired with a rua= address, it feeds you daily reports of every source sending as your domain — your own servers, your CRM, your invoicing tool, and anyone spoofing you. You use that data to authorise every legitimate sender before you tighten the policy.

The catch: while you're on none, nothing is actually protected. A criminal can still spoof your domain and land in the inbox. none is a listening post, not a lock. The goal is always to graduate to quarantine and then reject once the reports confirm your legitimate mail will survive.

You are here

Step 1

p=none

Monitor

Failing mail is still delivered — you only collect reports.

Step 2

p=quarantine

Contain

Failing mail is diverted to the spam or junk folder.

Step 3

p=reject

Block

Failing mail is refused outright and never arrives.

Monitoring onlyFull protection
A DMARC rollout moves left to right — from monitoring only, to containing spoofed mail, to blocking it outright.

Correct record vs common mistake

Correct

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Monitor-only, with a reporting address — so you actually collect the data that makes p=none worth running.

Common mistake

v=DMARC1; p=none

No rua= address means no reports. You get all the exposure of p=none and none of the visibility — the worst of both.

Generate your DMARC record

Build the exact TXT record to publish — pick a policy, add a reporting address, copy. Free, no signup.

Used to show the exact host name to publish — the record itself doesn't contain it.

Start at none to observe, then tighten once reports look clean.

Where daily XML summaries are sent. Comma-separate multiple addresses.

Advanced options (sp, alignment, pct, ruf)

Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.

Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.

Same idea for the SPF (Return-Path) domain.

Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.

Per-message failure samples. Rarely sent by large providers; contains message data.

Your DMARC record

Publish this as a TXT record in your DNS.

Host / Name

_dmarc.yourdomain.com

Value (TXT)

v=DMARC1; p=none;

Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.

No rua address set — you'll get no aggregate reports, which means no visibility into who is sending as your domain. Add one before publishing.
p=none is monitoring mode: receivers report but deliver everything, including spoofed mail. It's the right starting point — plan to move to quarantine, then reject, once your reports show all legitimate senders passing.

After you publish

  1. Add the TXT record at your DNS host and allow up to an hour for propagation.
  2. Verify it with the free DMARC checker.
  3. Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.

Troubleshooting p=none

IssueLikely causeFix
No reports arrivingMissing or mistyped rua= address, or the report mailbox rejects large XML attachmentsAdd a valid rua= mailto: address and confirm the mailbox accepts mail from any sender
Reports show unknown sending sourcesShadow IT (a SaaS tool sending as the domain) — or someone spoofing itAuthorise legitimate sources in SPF/DKIM; anything you can't identify is a reason to move off none
Domain parked at p=none for monthsNo owner for the rollout, or fear of breaking mailConfirm all senders pass in the reports, then step to quarantine — none was never meant to be permanent

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Across a client base, p=none is the silent-risk state. A domain parked here looks “DMARC-enabled” on an audit checklist but is still fully spoofable. Multiply that by every tenant you manage and “we have DMARC” can quietly mean “none of our clients are actually protected.”

Trusted by MSPs

We increased our meetings booked by 21% and slept better at night knowing our emails are now secured
Marc-André CampagnaMarc-André Campagna CEO, gaiia (YC 2021)Read the case study →
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

p=none means you're only watching, not protected. Palisade reads the reports for you and safely walks every client domain from none to reject — automatically, without breaking a single legitimate sender.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

For your legitimate mail, yes — it changes nothing about delivery. That is also the problem: it does nothing to stop spoofing either. It is safe to start on, but unsafe to stay on.

No. At p=none, messages that fail DMARC are still delivered normally. Only p=quarantine or p=reject actually divert or block them.

Just long enough to read your DMARC reports, confirm every legitimate sender passes, then move to quarantine and reject. Weeks, not months — a domain parked at none is exposed the entire time.

p=none gives you reporting via rua=; no record gives you nothing. Neither blocks spoofed mail, but p=none is how you gather the evidence to enforce safely.

Related terms

What is DMARC? Email authentication explained