4 situations in which you should use the DMARC’s p=none policy
DMARC has three policies— none, quarantine, and reject. The ‘quarantine’ and ‘reject’ policies are strict and are used the most. However, there are cases where the ‘none’ policy is ideal. The ‘none’ policy is enforced using the p=none tag in a DMARC record. It instructs the receiving servers to take no action against unauthorized emails sent from your domain.
It’s obvious for you to think of the ‘none’ policy as the useless or inefficient one, but here are four ideal use cases for it.
1. For a domain that has just begun with DMARC
If you have just implemented DMARC for your domain, it’s not ideal to enforce the ‘quarantine’ or ‘reject’ policy as you are yet to know if your emails are being subjected to false negatives and false positives. So, first, start monitoring the relationship of your domain with different receiving mailboxes.
Another reason why experts ask to start with the p=none policy is because it helps you enlist all the legitimate sources sending emails from your domain. So, before you move to the stricter policies, you should have this list ready. Otherwise, you might miss out on enlisting a genuine sender in the list, subjecting their emails to delivery failures.
2. For gradually progressing DMARC policies
It’s good to move gradually from the p=none policy to stricter ones like p=quarantine or p=reject to avoid disrupting email flow. Being hasty about this can cause problems, especially if SPF and DKIM aren’t correctly aligned. A slow, phased approach gives you enough time to identify and fix the issues without hampering the deliverability of genuine messages sent from your domain.
Once you are sure that everything is configured correctly and that there are minimum, tolerable instances of false positives or negatives, you can safely adopt stricter policies.
3. To maintain or improve the deliverability rate for domains used for transactional emails
If you have a domain or subdomain dedicated to sending transactional emails or receipts, using the ‘none’ policy is advised. If this process involves third-party vendors like CRM systems or marketing platforms, stick to the p=none policy for a long time. Progress to ‘quarantine’ or ‘reject’ only when you are fully confident.
We emphasize this approach because the ‘none’ policy lets you spot third-party senders and check their authentication settings without affecting the delivery of important emails. You also get to know if any external senders need updates to their authentication.
4. For businesses with multiple units, channels, and teams
Large companies have several teams and departments, complicating and decentralizing the email flow. If that’s the case with you, enforce p=none to monitor emails across departments. This is even more useful when you have to apply a single authentication method across all the existing and upcoming systems.
We suggest you pay attention to monitoring DMARC reports to detect non-compliant sources. If managing and monitoring XML reports is challenging for you, reach out to us. We can take care of it and help you adjust DMARC policies and other configurations as and when required. This will ensure optimum protection from phishing and spoofing attacks attempted in your name.