Email Security 5 min read · March 28, 2026

Your DMARC Is Set to 'none'. Here's Why That's Dangerous.

Ismail Zemouri

CISSP · PKI Architect

During an OSINT assessment this week, I found a Belgian e-commerce company with email security so weak that anyone could send emails as their domain. The emails would land in recipients' inboxes — not spam. Inbox.

What I Found

DNS check

$ dig _dmarc.target.be TXT +short

"v=DMARC1; p=none"

$ dig target.be TXT +short | grep spf

"v=spf1 include:_spf.hostedemail.com ~all"

$ dig default._domainkey.target.be TXT +short

(empty — no DKIM configured)

Three failures in one domain:

✗

SPF: ~all (softfail) — spoofed emails get a "maybe suspicious" flag but still deliver. Should be -all (hardfail).

✗

DMARC: p=none — tells receiving servers "don't do anything if SPF/DKIM fails." It's monitoring mode. No protection.

✗

DKIM: not configured — no cryptographic signature on outgoing emails. No way to verify authenticity.

The Fix (5 Minutes)

1. SPF: Change ~all to -all

2. DMARC: Add or change TXT record:

_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com"

3. DKIM: Configure through your email provider. Most (Google Workspace, Microsoft 365) have a setup wizard.

Cost: EUR 0. Time: 5 minutes. Protection: prevents brand impersonation, phishing, and invoice fraud.

Check Yours Now

Go to mxtoolbox.com/dmarc.aspx and enter your domain. If you see p=none or no DMARC record at all, you're exposed.

Your domain reputation is an asset. Protect it like one.

← Back to Blog