I am seeing the warning, "DMARC record is valid, but set policy (none/quarantine) does not yet protect your domain against email spoofing and phishing." What is missing?

This warning is visible when:

  1. Your DMARC Policy is in the Monitoring stage (p=none).
  2. Your DMARC Policy is not yet fully enforced (p=quarantine).
  3. Your DMARC Policy is set to Reject, but the enforcement level is below 100% (<pct=100).
  4. Your subdomain DMARC Policy is either set to None (sp=none) or Quarantine (sp=quarantine).

The purpose of DMARC (Domain-based Message Authentication, Reporting, and Conformance) is to enhance email security by preventing email spoofing and phishing attacks. When your DMARC policy is in the monitoring phase (p=none), or even in the stricter phases (p=quarantine or p=reject) but with a percentage less than 100%, it indicates that your domain is not yet fully safeguarded against these threats.

In the monitoring phase (p=none), DMARC is not actively blocking or quarantining emails that fail authentication checks; it's essentially in a reporting mode, allowing you to observe authentication results. To achieve comprehensive protection, it's recommended to progress towards higher enforcement levels. By updating your DMARC policy to "p=quarantine" (where emails failing authentication are quarantined) and eventually to "p=reject" (where such emails are rejected outright), you can significantly reduce the risk of email spoofing and phishing attacks targeting your domain.

Therefore, if you receive this alert, it serves as a reminder to ensure that your DMARC policy is not only set to a stricter level but also enforced at 100% to maximize the protection of your domain and its stakeholders against potential cyber threats.