Introduction
A surprising statistic emerges every time someone audits the global DMARC posture: a large majority of domains with a published DMARC record are stuck at p=none. They published the record, watched the reports for a while, and stopped. The protection their policy could have delivered — exact-domain spoofing made operationally impossible — has never come.
This article makes the case for DMARC enforcement: why monitoring is not protection, what enforcement actually costs in effort, and why the gap between published and enforced is the gap between "we did DMARC" and "we're DMARC-protected." If you're at p=none today and don't have a date for moving up, this article is aimed at you.
Why this topic matters
DMARC was designed as a policy framework. The policy tag — p=none, p=quarantine, p=reject — is the single instruction that determines whether the system does anything. Without enforcement, DMARC is a diagnostic tool. With enforcement, it's a security control.
The mistake of treating monitoring as the end state is so widespread that it has become the default DMARC posture. Auditors increasingly call this out specifically — a domain at p=none for more than 90 days is treated as evidence of an incomplete implementation. Cyber insurers are starting to differentiate quotes the same way.
What monitoring actually gives you
p=none is genuinely valuable for a defined, finite phase of work:
- A per-sender inventory of who's sending as your domain
- Pass-rate data per sender, per receiver
- Visibility into spoofing attempts (the failures from IPs you don't recognize)
- Early warning of misconfigured legitimate senders
The phrase "for a defined, finite phase" is the load-bearing part. Monitoring is the audit that makes safe enforcement possible. It's a means, not an end.
A domain that stays at p=none for years is in the same security posture as a domain with no DMARC record at all — slightly better diagnostics, identical protection. Attackers spoofing the domain succeed equally well in both cases.
What enforcement gives you that monitoring doesn't
The deliverable from enforcement is a binary outcome: exact-domain spoofing of your brand is impossible at major mailbox providers. This produces concrete, measurable business outcomes that monitoring does not:
- Brand-impersonation phishing aimed at your customers stops working. DMARC vs phishing covers the specific attack types this eliminates.
- Mail-flow deliverability improves. Receivers treat enforced domains as more trustworthy; legitimate mail benefits from your domain's protected reputation.
- Cyber-insurance posture improves. Underwriters explicitly differentiate between published and enforced.
- Compliance frameworks get satisfied. PCI DSS, GDPR, and sector regulations treat enforcement, not publication, as the goal.
- BIMI becomes available. BIMI requires enforcement — your brand logo in the inbox is gated on
p=quarantineorp=reject.
The gap between monitoring and enforcement is the gap between knowing about the problem and solving it.
Step-by-step approach to moving from monitoring to enforcement
The mechanics are well-defined; the discipline is what's hard. How to move from DMARC monitoring to enforcement safely has the detailed walk-through; here's the compressed version:
- Set a date. A specific calendar date by which you intend to be at
p=reject. Without a date, the work doesn't happen. - Remediate to ≥99% pass on all legitimate senders. Aggregate-report analysis tells you which are below threshold; fix each. Common DMARC errors covers the typical fixes.
- Move to
p=quarantine pct=10. Controlled experiment. Watch reports. - Ratchet
pct=up: 25, 50, 100. Two weeks at each step is typical. - Move to
p=reject pct=100. End state.
The whole path from "start of remediation" to "fully enforced" is 6-12 weeks for a typical domain. For enterprise multi-brand setups it can extend, but the shape is the same.
What's actually stopping most teams
The reasons domains get stuck at p=none are mostly organizational, not technical:
- No one has the calendar accountability. Without a named owner and a date, the rollout drifts. Add both.
- Fear of breaking legitimate mail. Legitimate concern, addressable by the data — the reports tell you exactly when you're safe to move.
- No DMARC platform to make reports readable. Manual XML parsing is unsustainable. A platform reduces report review from hours to minutes.
- Unknown senders that can't be quickly identified. Marketing tools, vendor systems, legacy infrastructure. The discovery phase needs to actually finish.
- Inertia. "It's working" — meaning "the monitoring reports keep arriving" — gets confused for "we're done."
Each of these is solvable. The first signal that the rollout has stalled is silence: reports arrive, no one acts on them, weeks pass.
Best practices
- Treat the rollout as a project with a deadline. Two months, not two quarters.
- Assign a single owner. A named individual responsible for the move from
p=nonetop=reject. Otherwise it's nobody's job. - Use a DMARC platform for report parsing. The 30-minute weekly review at a platform replaces the 5-hour monthly slog through XML.
- Don't let
pct=become a permanent state.pct=is for the ramp. Eventually you live atp=reject pct=100(or omitpct=entirely). - Plan the BIMI follow-up. BIMI is the natural next milestone once enforcement is live.
What enforcement looks like in steady state
Once at p=reject, the operational posture is light:
- Weekly: glance at the aggregate-report dashboard. Confirm pass rate stayed at ~100%, no new senders appeared.
- Monthly: review any new senders or anomalies. Add legitimate ones to the authenticated set; investigate any unidentified ones.
- Quarterly: check
sp=and other tags for any change in business circumstance (new subdomains, new business units, M&A activity). - Annually: verify the record is still optimal — domain landscape changes, DMARC spec evolves slowly, periodic review is healthy.
That's the entire ongoing cost of enforcement once it's in place. It's substantially lower than the cost of monitoring done well — because monitoring requires active interpretation of failures that enforcement just blocks at SMTP.
Recommended next step
If you're at p=none, the action is to set a date and assign an owner. Both within the next week. Without those, the next 90 days will look identical to the last 90 — reports arriving, no progress made.
If the obstacle is operational tooling, a DMARC platform reduces the per-sender remediation effort substantially. The DMARC AI sender dashboard surfaces every failing sender with a one-click remediation guide.
For MSPs, the enforcement gap is the consulting opportunity. Most client domains your prospects look at are stuck at p=none. The DMARC sales script for MSPs is built around exactly this gap.
FAQ
Isn't p=none better than no DMARC record at all?
Marginally. You gain visibility but no protection. The relevant comparison is p=none vs p=reject, where the security difference is total.
Why do most domains stay at p=none?
Organizational inertia, mostly. The technical move is small; the discipline to schedule it and own it is the bottleneck.
What's the actual cost of moving to enforcement?
For a domain with normal sender complexity, 20-40 hours of total engineering time spread across 6-12 weeks. Most of that is remediation; the policy changes themselves are minutes.
Will moving to enforcement hurt my deliverability?
Done right, no. Deliverability improves because mailbox providers treat enforced domains as more trustworthy. The risk is moving up before remediation is complete; that risk is what the monitoring phase is for.
What if I have legitimate senders I can't authenticate?
Rare in 2026 — most platforms now support custom DKIM. If you have one that genuinely can't be authenticated, how to handle third-party senders during DMARC projects covers the patterns (subdomain isolation, gradual migration).
Final thoughts
DMARC monitoring is the diagnostic that makes enforcement safe. DMARC enforcement is the security control that protects the domain. The two are not interchangeable; the second is the goal, the first is the path.
The domains that complete the rollout join a small set of unspoofable brands. The domains that stall at monitoring stay in the much larger set that an attacker can target with confidence. The gap between them is a calendar date and the discipline to keep it.