The DMARC Question That Stops Most Businesses Cold
Almost every DMARC project hits the same wall:
“What happens if we break email?”
It’s a fair fear.
Email is business-critical.
Breaking it would be… awkward.
So what do many organisations do?
They publish DMARC.
Set p=none.
Pat themselves on the back.
And never touch it again.
Which is a bit like installing a burglar alarm that only logs crimes.
Let’s fix that and scare the word “p=none” out of boardrooms everywhere.
Quick Recap: What a DMARC Policy Actually Does
If you need a refresher on how DMARC fits with SPF and DKIM, start here: DMARC: The Email Security Standard You Can’t Afford to Ignore.
DMARC policies tell receiving mail servers what to do when an email claiming to be from your domain:
- Fails SPF
- Fails DKIM
- Fails alignment
Without a policy, receivers guess.
With a policy, they enforce.
If you need a refresher on how DMARC fits with SPF and DKIM, start here: DMARC: The Email Security Standard You Can’t Afford to Ignore.
For the technical breakdown: DMARC vs SPF vs DKIM: What They Do, How They Work, and Why You Need All Three.
This post focuses purely on policy behaviour.
The Three DMARC Policies (And What They Really Mean)
DMARC gives you three enforcement levels:
- p=none
- p=quarantine
- p=reject
They are not equal.
They are not interchangeable.
And only one of them actually stops spoofing.
Let’s walk through them properly.
p=none: Monitoring Mode (Not Protection)
What p=none Does
When DMARC is set to p=none:
- Emails are still delivered normally
- No enforcement is applied
- You receive DMARC reports
- Spoofed emails are not blocked
In plain English:
“Please tell me who’s impersonating us, but don’t stop them.”
When p=none Is Useful
p=none does have a legitimate purpose:
- Discovering all legitimate senders
- Identifying broken SPF or DKIM
- Understanding your email ecosystem
It is a temporary discovery phase.
When p=none Becomes a Problem
Staying on p=none long-term means:
- Your domain remains spoofable
- Brand impersonation continues
- Insurers remain unimpressed
- Attackers face zero resistance
This is the most common DMARC failure we see.
DMARC exists.
DMARC does nothing.
Morse Reality Check
p=none is not security.
It’s reconnaissance.
Useful? Yes.
Protective? Absolutely not.
p=quarantine: Controlled Enforcement
What p=quarantine Does
With p=quarantine:
- Failing emails are marked as suspicious
- They usually land in spam or junk
- Some receivers apply additional scrutiny
This is where DMARC starts reducing risk.
Why p=quarantine Is the Sweet Spot for Transition
This policy is ideal when:
- You’ve fixed most SPF/DKIM issues
- You want enforcement without full rejection
- You’re validating real-world impact
It acts as:
- A safety net
- A warning system
- A confidence builder
What p=quarantine Does Not Do
Let’s be honest:
- Some phishing emails may still land in spam
- Determined attackers may still reach users
- It’s not a hard stop
Better than nothing.
Still not the finish line.
Morse Translation
p=quarantine says:
“If it looks dodgy, treat it like rubbish.”
That’s progress.
But rubbish can still be opened.
p=reject: Full Enforcement (The Goal)
What p=reject Does
With p=reject enabled:
- Emails that fail DMARC are blocked outright
- They never reach inbox or spam
- Spoofing attempts stop dead
This is DMARC doing its actual job.
Why p=reject Matters More Than People Realise
When properly implemented, p=reject:
- Eliminates domain spoofing
- Protects your brand reputation
- Reduces invoice and payment fraud
- Improves deliverability for legitimate mail
- Strengthens cyber insurance position
This is not “advanced security”.
This is finished security.
The Big Myth: “Reject Will Break Email”
Here’s the truth:
DMARC doesn’t break email.
It exposes broken email.
If legitimate messages fail under p=reject, it means:
- A sender wasn’t authenticated
- Alignment was wrong
- A system was forgotten
Those are problems you already had.
DMARC just stops them hiding.
If you want to avoid that pain, read: Common DMARC mistakes that break legitimate email.
The Correct DMARC Policy Journey (Step by Step)
This is the safe, sane, grown-up path:
Step 1: Start with p=none
- Short-term only
- Collect reports
- Identify all senders
Step 2: Fix Alignment
- Clean SPF records
- Enable DKIM everywhere
- Align visible From domains
If this step is rushed, pain follows.
Step 3: Move to p=quarantine
- Monitor impact
- Catch edge cases
- Build confidence
Step 4: Enforce p=reject
- Block spoofing
- Lock down identity
- Sleep better
Slow is smooth.
Smooth is safe.
How DMARC Policy Affects the Business (Not Just IT)
Choosing the right DMARC policy isn’t a technical preference.
It’s a risk decision.
With p=none
- Fraud risk remains high
- Insurers raise eyebrows
- Boards assume protection that doesn’t exist
With p=reject
- Risk is measurably reduced
- Controls are defensible
- Security posture looks intentional
This is why DMARC increasingly shows up in:
- Cyber insurance applications
- Risk registers
- Audit conversations
We cover this in depth here: Email authentication and cyber insurance requirements.
The Morse Take
p=none is a start.
p=quarantine is progress.
p=reject is the point.
If your DMARC policy never moved beyond monitoring,
you didn’t implement DMARC –
you just observed the problem politely.
And attackers love polite.
How This Fits Into the Bigger Picture
This post is part of our DMARC & Email Authentication cluster, anchored by our main guide:
DMARC: The Email Security Standard You Can’t Afford to Ignore
Related reads:
Dot. Dash. Enforced.