A DMARC record set to p=none is monitoring mode, it sends reports about email authentication but takes no action against unauthenticated emails. Hamilton365 regularly reviews tenants where DMARC has been at p=none for months or years with no plan to progress to enforcement. This leaves the domain fully open to spoofing.
Tells receiving mail servers: check authentication and send me reports, but don't do anything with emails that fail. With p=none in place, an attacker can send email from your domain to your customers and it will be delivered as if it came from you.
Reports are difficult to interpret without tooling. Moving to enforcement feels risky without proper analysis. Nobody takes ownership of the process.
Review DMARC aggregate reports to identify all legitimate sending sources. Ensure all legitimate senders are in SPF with DKIM configured. Move to p=quarantine and monitor. Progress to p=reject. The journey is achievable for most organisations within a few weeks of focused effort, Hamilton365 manages this process for clients as part of email security engagements.
DMARC Implementation & Enforcement