p=none is the email security equivalent of buying a fire door, painting it bright red, and then propping it open with a brick.
The part that drives me crazy is that this is not an edge case. It is the default emotional state of DMARC deployment. People say a domain “has DMARC” as if the story ends there. It does not. A DMARC record with p=none tells receivers to collect reports and carry on. No quarantine. No rejection. No enforcement.
That can be a legitimate temporary step.
Temporary is the word everyone forgets.
What p=none Actually Means
It reports. That’s the entire trick.
DMARC has three enforcement levels: p=none delivers the email anyway and maybe sends a report. p=quarantine puts failed email in spam. p=reject drops it outright. The intended progression is clear: start at p=none to gather data, move to p=quarantine once you understand your ecosystem, graduate to p=reject when you’re confident.
This is why “DMARC adoption” is such a slippery phrase. If the question is “how many domains publish a DMARC TXT record,” the answer looks encouraging — industry surveys put it at 50-80% for major domains. If the question is “how many domains actually block spoofed email,” the answer gets depressing fast.
A 2026 scan over 5.5 million Tranco domains found 30.4% published DMARC. Sounds decent. Then you read the next line: only 12.8% of all scanned domains were at enforcement, and 57.9% of DMARC-enabled domains still sat at p=none.
Decorative is not unfair.
The Progression That Never Happens
The official story is clean. Monitor, then quarantine, then reject. That is the brochure.
Real organizations accumulate mail systems the way old houses accumulate wiring. Marketing sends from one platform. Billing sends from another. HR has a third-party workflow nobody documented. Support has forwarding rules someone added three years ago and forgot. The CEO has an assistant using a weird relay appliance because of one legacy partner in one country. Someone set up a SaaS trial with your domain and never tore it down.
Then you enable DMARC reporting and discover your email ecosystem is not a system at all. It is archaeology.
At that point p=none becomes a parking lot. Not a transition state. A habitat.
The fear is not imaginary. Move to enforcement too early and you can break legitimate mail. Forwarding still causes pain. Mailing lists mangle flows. Legacy systems miss alignment in silly ways. But fear has turned a migration path into a lifestyle.
Why Organizations Stay Here
Breakage anxiety. Nobody gets fired because a spoofed message was theoretically possible in a way that requires reading an RFC to understand. People absolutely get yelled at when legitimate mail stops arriving. The operational cost of moving too fast is immediate and loud. The business cost of staying on p=none is diffuse and delayed. Bureaucracies are very predictable animals when faced with that choice.
Nobody reads the reports. DMARC aggregate reports are XML files. Dense, ugly, arriving in bulk. Processing them requires dedicated tooling. Many organizations set up the rua address, receive thousands of reports, and never look at a single one. Without reading the reports, you can’t identify unauthorized senders. Without identifying them, you can’t move to enforcement. The feedback loop is broken at step one.
No deadline, no urgency. Unlike a compliance audit with a date attached, there’s no external pressure to move off p=none. Nobody penalizes you for it. You can tell auditors you “have DMARC” without specifying the policy level. The checkbox is checked. The CISO gets a report. The dashboard turns green.
And absolutely nothing changes.
SPF Has the Same Fake-It Problem
SPF’s softfail (~all) is the same disease with a different name. A record ending in -all (hardfail) says reject everything unauthorized. A record ending in ~all says “maybe flag it? Or don’t. I’m not sure.” The majority of SPF records use ~all. Technically present. Functionally timid.
RFC 7208 says a softfail means the domain believes the host is probably not authorized but is not willing to make a strong policy statement. That makes ~all useful as a cautious transition tool.
Sound familiar?
This is the broader pattern in email security: publishing is easy, enforcement is emotionally expensive.
The Google-Yahoo Push
In early 2024, Google and Yahoo started requiring DMARC for bulk senders. If you send more than 5,000 emails a day to Gmail or Yahoo addresses, you need a DMARC record. The requirement created a spike in adoption.
But the requirement is just “have a DMARC record.” Not “have a DMARC record with enforcement.” So organizations rushed to add p=none records. Compliance without security. A familiar pattern.
If major email providers started treating p=none as “no DMARC” — filtering mail from domains that refuse to enforce — real adoption would spike overnight. But nobody wants to be the provider that breaks email for a Fortune 500 company that hasn’t gotten around to configuring their marketing platform’s DKIM.
Decorating DNS Zone Files
I’m not angry at DMARC itself. The protocol did what it was supposed to do. I’m annoyed at the way the industry congratulates itself for publishing a monitoring policy and then acts surprised that spoofing remains common.
A lock screen is not a lock. A report is not a control. A p=none record is not protection.
At some point you have to decide whether the policy is meant to change mail flow or decorate a DNS zone file.