The Hidden Cost of Staying at p=none

You have a DMARC record. You checked the box. Your compliance team is happy. So why does it feel like nothing actually changed?

Because nothing did.

A DMARC policy of p=none is monitoring mode. It collects reports about who’s sending email as your domain. It does not stop anyone from spoofing you. It does not protect your customers from phishing. It does not prevent attackers from impersonating your CEO to request a wire transfer.

The record exists. The protection doesn’t.

And that gap between “we have DMARC” and “we’re actually protected” is costing companies more than most realize.

The direct costs nobody talks about

Let’s start with the obvious one: fraud.

Business email compromise resulted in $2.77 billion in reported losses in the US in 2024, according to the FBI’s Internet Crime Complaint Center. That’s just what got reported. The actual number is higher. The average BEC incident costs around $130,000.

These attacks work because attackers can send email that appears to come from legitimate domains. When your DMARC policy is p=none, you’re telling the world that you’d prefer email servers deliver spoofed messages anyway, even when authentication fails. You’re making the attacker’s job easier.

DMARC at enforcement can reduce BEC success rates by approximately 70%. That’s not a typo. Seven out of ten attacks that would have worked against an unprotected domain get blocked when DMARC is properly configured.

If your company handles any amount of money through email-initiated processes, the ROI calculation here is straightforward. The cost of reaching enforcement is measured in hours of work. The cost of a successful BEC attack is measured in hundreds of thousands of dollars and, sometimes, careers.

The deliverability tax

Here’s one that hits the marketing budget: weak authentication hurts email deliverability.

Email providers use authentication signals to decide whether your messages are trustworthy. SPF, DKIM, and DMARC all factor into reputation scoring. When you’re stuck at p=none, you’re telling mailbox providers that you haven’t fully committed to authentication. They notice.

Organizations that move to DMARC enforcement often see deliverability improvements of 5-10%. Your marketing campaigns reach more inboxes. Your transactional emails don’t disappear into spam folders. Open rates go up. Revenue follows.

This isn’t theoretical. Google’s bulk sender requirements explicitly tie authentication to deliverability. If you’re sending more than 5,000 emails a day to Gmail addresses and you’re not properly authenticated, you’re already seeing the effects. Messages get rejected. Campaigns underperform. And the marketing team blames the subject lines.

The subject lines are fine. Your authentication isn’t.

The reputation damage you can’t measure

When someone receives a phishing email that looks like it came from your domain, they don’t blame the attacker. They blame you.

“Why is your company sending me spam?” “I got a suspicious invoice from your accounts department.” “Your CEO just asked me to buy gift cards.”

Every one of these complaints erodes trust. Some percentage of recipients won’t bother complaining. They’ll just stop doing business with you. They’ll tell their colleagues. They’ll leave reviews.

You’ll never see most of this damage in your metrics. It shows up as deals that don’t close, renewals that don’t happen, referrals that don’t come through. The connection between “someone spoofed our domain” and “revenue is down” is invisible but real.

Countries that mandated DMARC enforcement saw phishing success rates drop from 69% to 14%. That’s a dramatic reduction in the number of people getting tricked by emails pretending to be from legitimate organizations. When you’re at enforcement, you’re part of the solution. When you’re at p=none, you’re part of the problem.

The compliance clock is ticking

If you’re in certain industries, the cost of weak authentication is about to become very concrete.

PCI DSS v4.0 now requires DMARC policies set to quarantine or reject for organizations handling card payments. The deadline was March 2025. If you’re processing payments and you’re still at p=none, you have a compliance problem.

Google and Yahoo’s bulk sender requirements have been in effect since February 2024. Microsoft started rejecting non-compliant email in May 2025. These aren’t suggestions. They’re requirements with enforcement mechanisms.

The regulatory direction is clear: authentication is becoming mandatory. The organizations scrambling to comply at the last minute will pay premium rates for consultants and rush implementations. The ones who moved early get to watch from the sidelines.

The opportunity cost of endless monitoring

Here’s the subtlest cost: the time and attention spent on a project that never finishes.

Your team set up DMARC. They looked at the reports for a while. They identified some problems. They meant to fix them. Then other priorities came up. Now someone brings up email authentication in a meeting every quarter and everyone agrees it’s important and nothing changes.

That’s not a security program. That’s a recurring calendar item.

The mental overhead of knowing you have an incomplete project sitting there, the energy spent in meetings discussing why it’s not done, the credibility lost when leadership asks about email security and the answer is “we’re working on it” is real. It’s not on any balance sheet, but it’s there.

Finishing things has value. The organization that gets to p=reject can close that chapter and move on. The one stuck at p=none drags it around forever.

What enforcement actually looks like

Moving from p=none to p=reject isn’t magic. It’s work. But it’s finite work with a clear end state.

The process goes like this: You identify every legitimate source sending email as your domain. You make sure each one is properly authenticated with SPF and DKIM alignment. You move to p=quarantine and watch for problems. You fix what breaks. You move to p=reject.

The hard part isn’t the DNS changes. It’s the vendor coordination. Your ESP needs to sign with your domain. Your CRM needs custom DKIM configured. Your marketing platform needs to actually implement the authentication settings you asked for months ago.

This is where most projects stall. Not because the technology is hard, but because getting external vendors to prioritize your authentication requests is tedious and frustrating.

The solution is better tooling. When you can show a vendor exactly what’s failing with evidence they can act on, the conversation changes. Instead of “please fix your authentication,” it becomes “here’s the specific failure, here’s the impact, here’s what needs to change.”

The math isn’t complicated

Run the numbers for your organization.

On one side: the cost of reaching enforcement. Some hours of internal work. Maybe a DMARC monitoring service. Some back-and-forth with vendors.

On the other side: the expected cost of BEC attacks multiplied by your probability of being targeted (spoiler: it’s higher than you think). Plus the deliverability tax on your email marketing. Plus the reputational risk. Plus the compliance exposure. Plus the opportunity cost of an unfinished project.

The math isn’t close.

The destination is enforcement. The question isn’t whether you should get there. It’s how long you’re willing to pay the cost of staying at p=none.

---

Ready to stop monitoring and start protecting?

Verkh gets you from p=none to p=reject without the coordination headaches. See who’s sending as your domain, identify what’s failing, and generate vendor reports that actually get results.

Start Free →