DMARCPulse
Start free trial
All posts

The DMARC Enforcement Gap: Why p=none Is Not Enough

DMARCPulse Team
Email SecurityDMARCSPFAnalysis

The Smoke Detector Without a Battery

Imagine installing a smoke detector in every room of your office — but never putting the batteries in. You went through the effort. You checked the box. But when a fire starts, nothing happens.

That is exactly what most organizations do with DMARC.

A new report by PowerDMARC analyzed 555 Canadian domains across seven industries. The headline numbers look encouraging: 88.7% have a DMARC record published in their DNS. But dig deeper, and the picture changes dramatically: only 28.1% enforce it with a policy of p=reject.

That means 7 out of 10 organizations with DMARC are running in monitoring mode. They can see that someone is spoofing their domain. They just chose not to do anything about it.

What Monitoring Mode Actually Means

When you publish a DMARC record with p=none, you are telling receiving mail servers: “If an email fails authentication, deliver it anyway — but send me a report about it.”

This is useful as a first step. It gives you visibility into who is sending email on behalf of your domain. But it provides zero protection. Spoofed emails still land in your recipients’ inboxes, carrying your brand name.

A policy of p=quarantine moves failing emails to the spam folder. A policy of p=reject tells receivers to drop them entirely. Only at p=reject is your domain fully protected against impersonation.

Why Organizations Get Stuck

If enforcement is so much better, why do most domains never get there? The answer almost always comes down to fear of breaking legitimate email.

Modern organizations send email from dozens of sources: marketing platforms, CRM systems, ticketing tools, billing services, HR software, monitoring alerts. Each of these services needs to be properly authorized via SPF or DKIM. If even one legitimate source is missing, moving to p=reject means those emails get blocked.

So teams stay in monitoring mode — “just until we’ve sorted everything out.” Weeks turn into months. Months turn into years. And the problem only gets harder over time:

  • New services get added without updating SPF or DKIM
  • Shadow IT sends email from your domain without anyone knowing
  • SPF records grow until they hit the 10 DNS lookup limit, causing silent failures
  • Staff turnover means the person who started the DMARC project has moved on

The irony is that the longer you wait, the more complex the migration becomes.

The Numbers Are Stark

The Canadian report is not an outlier. Similar patterns appear globally:

  • MTA-STS adoption across the same Canadian domains sits at just 3.2% — meaning 96.8% of domains have no protection against TLS downgrade attacks on inbound email
  • DNSSEC adoption is at 9.4% — leaving over 90% of domains vulnerable to DNS hijacking
  • According to Cloudflare’s 2026 threat report, 46% of all emails globally fail DMARC validation

The gap between “having DMARC” and “enforcing DMARC” is one of the biggest blind spots in email security today.

How to Close the Gap

Moving from p=none to p=reject is not complicated. It is methodical. Here is the path:

1. Actually Read Your DMARC Reports

DMARC aggregate reports are XML files that receiving mail servers send to you daily. They contain data about every email sent from your domain: which sources passed SPF and DKIM, which failed, and why.

Most organizations collect these reports but never analyze them. That is like having security camera footage and never watching it.

2. Identify Every Legitimate Sending Source

Go through your reports and catalog every service that sends email on behalf of your domain. Common sources include:

  • Your primary email provider (Google Workspace, Microsoft 365)
  • Marketing tools (Mailchimp, HubSpot, Brevo)
  • Transactional email services (SendGrid, Amazon SES, Postmark)
  • Ticketing systems (Zendesk, Freshdesk)
  • CRM platforms (Salesforce, Pipedrive)
  • Internal applications and monitoring tools

3. Fix SPF and DKIM for Each Source

For each legitimate source, ensure it is included in your SPF record and that DKIM signing is properly configured. This is where most of the work happens — and where specific, actionable recommendations make all the difference.

Instead of a generic “SPF failed for source X,” you need to know exactly which include: to add or which DKIM selector to configure.

4. Move to Quarantine, Then Reject

Once your authentication pass rates are consistently high (above 95%), move your policy to p=quarantine. Monitor for a few weeks to catch any remaining issues. Then move to p=reject.

This gradual approach minimizes risk while steadily increasing protection.

Don’t Let Your DMARC Record Be Decoration

A DMARC record at p=none is a starting point, not a destination. The data it collects is valuable — but only if you act on it. Every day your domain stays in monitoring mode is a day attackers can send spoofed emails in your name, and your recipients have no protection.

The fix is not about buying more tools or hiring more people. It is about turning the data you already have into specific actions: which DNS records to change, which services to configure, which gaps to close.

That is exactly what DMARCPulse is built for. Instead of generic warnings like “SPF failed,” DMARCPulse gives you actionable recommendations — specific DNS values you can copy and paste. It analyzes your DMARC reports, identifies your sending sources, and tells you exactly what to fix. Start your free 7-day trial and move from monitoring to enforcement.

Summary

  • 88.7% of Canadian domains have DMARC — but only 28.1% enforce it at p=reject
  • Monitoring mode (p=none) provides visibility but zero protection against spoofing
  • Organizations get stuck because they fear breaking legitimate email from third-party services
  • The fix is methodical: analyze reports, identify sources, fix authentication, then enforce
  • The longer you wait, the harder enforcement becomes — start now