Skip to main content
All website issues
Technical Health

Your DMARC is set to monitor only

What this means for your business

Your domain has DMARC, but the policy is set to "monitor only" (p=none), so it watches without actually stopping anything. Fake email that impersonates your domain still gets delivered — you get the reports but none of the protection.

How to fix it
Easy
15–30 minutes

  1. 1Confirm you've been collecting DMARC aggregate reports (the rua= address in your record) long enough to trust that your legitimate email is passing SPF/DKIM.
  2. 2In your DNS settings, edit the existing "_dmarc" TXT record.
  3. 3Change "p=none" to "p=quarantine" — this tells Gmail/Outlook to send mail that fails authentication to the spam folder instead of the inbox.
  4. 4Monitor for a week or two to make sure no real mail is being caught.
  5. 5When you're confident, change "p=quarantine" to "p=reject" for the strongest protection — failing mail is blocked entirely.
  6. 6Re-scan to confirm the stronger policy is detected.

Pro tip: p=quarantine is the safe middle step: spoofed mail goes to spam (recoverable if something legitimate is mis-flagged) rather than being rejected outright. Sit at quarantine until you're certain, then move to reject.

Does your site have this problem?

SiteSprout scans your site, tells you which issues you actually have in plain English, and keeps watch so nothing breaks silently.

Scan your site free