DMARC is valid but I am seeing the warning, “Your DMARC record is set to None (p=none) or Quarantine (p=quarantine) policy, which will not protect against email spoofing and phishing".

This warning is visible when:

  1. Your DMARC Policy is in the Monitoring stage (p=none).
  2. Your DMARC Policy is not yet fully enforced (p=quarantine).
  3. Your DMARC Policy is set to Reject, but the enforcement level is below 100% (<pct=100).
  4. Your subdomain DMARC Policy is either set to None (sp=none) or Quarantine (sp=quarantine).

 

DMARC (Domain-based Message Authentication, Reporting, and Conformance) aims to enhance email security by preventing spam and phishing attacks. It allows domain owners to specify policies for unauthenticated messages and the policies include none, quarantine, and reject.

Each policy defines how unauthenticated emails should be handled in different ways:


  1. None (p=none): Monitors email traffic without affecting delivery. Use this policy when starting with DMARC to gather reports and identify issues.
  2. Quarantine (p=quarantine): Marks unauthenticated emails as suspicious (e.g., moves them to spam). Use this policy after reviewing reports and addressing major issues.
  3. Reject (p=reject): Blocks unauthenticated emails entirely. Use this policy only when confident your legitimate emails are properly authenticated.

When your DMARC policy is in the monitoring phase (p=none), or even in the stricter phases (p=quarantine or p=reject) but with a percentage less than 100%, it indicates that your domain is not yet fully safeguarded against these threats.

In the monitoring phase (p=none), DMARC is not actively blocking or quarantining emails that fail authentication checks; it's essentially in a reporting mode, allowing you to observe authentication results. To achieve comprehensive protection, it's recommended to progress towards higher enforcement levels. By updating your DMARC policy to "p=quarantine" and eventually to "p=reject", you can significantly reduce the risk of email spoofing and phishing attacks targeting your domain.

If you see this warning, it doesn’t indicate an issue but rather serves as a reminder of best practices for implementing DMARC. It is generally recommended to begin your DMARC journey with a "none" policy to monitor email authentication without affecting mail flow. Gradually, you can progress towards stricter policies, like “quarantine” or “reject,” as your domain achieves compliance.

The warning emphasizes that for maximum protection against potential cyber threats, such as phishing or spoofing, your DMARC policy should eventually be enforced at 100%. This ensures that all unauthenticated emails are handled according to your policy, safeguarding both your domain and its stakeholders.