DMARC monitoring vs enforcement.
Monitoring shows you the gaps. Enforcement closes them. People use the words interchangeably — and that confusion is exactly why most domains can still be spoofed.
Two words. Not the same thing.
Both read your DMARC reports. Only one changes what happens to a forged email.
Monitoring
Observation.
Collects DMARC aggregate reports, parses them, and shows you who is sending as your domain and whether it aligns. You see the spoofing. The mail is still delivered.
Outcome: visibility
Enforcement
Action.
Advances your policy to p=quarantine, then p=reject, so receiving servers divert or refuse mail that fails authentication. The forged message never reaches the inbox.
Outcome: protection
The p=none plateau.
p=none is where monitoring ends and manual work begins. Receiving servers are told to take no action — so reports arrive, but forged mail is delivered. To leave the plateau you have to do the work below, by hand.
Most teams never finish it. They buy a monitoring tool, reach p=none, and stop — protected on paper, exposed in practice.
of domains publish no policy, or publish one and never enforce it
What monitoring leaves to you.
The four steps between a report and real protection. This is the last mile — and it is exactly the part a monitoring tool hands back to you.
01
Inventory every legitimate sender
Marketing platform, CRM, support desk, invoicing, the CEO's newsletter tool. Miss one and enforcement blocks real mail.
02
Align SPF and DKIM
Each sender has to pass authentication and align with your domain. Getting there means coordinating DNS changes across every provider.
03
Advance the policy, in stages
none → quarantine → reject, watching reports at each step so a misconfiguration is caught before it costs you delivered mail.
04
Hold it against drift
A new vendor, an edited record, an expired key — any of them can silently undo enforcement. Someone has to watch, forever.
When monitoring is the right call.
Monitoring is not wrong — it is incomplete. It is the correct first move: you cannot safely enforce a policy until you can see who sends on your behalf. The reports are genuinely valuable for spotting new senders and diagnosing delivery problems.
The mistake is treating the dashboard as the destination. Monitoring should sit on top of enforcement, not stand in for it. If your domain has been at p=none for more than a few weeks, monitoring has already done its job — and the next step is the one being skipped.
Authex does the last mile.
Authex is not another monitor. It owns your trust records and runs the four steps for you — inventorying senders, aligning authentication, advancing the policy to p=reject, and holding it against drift. Deterministically, gated by your real report data.
Questions, answered.
Is DMARC monitoring enough?
No. Monitoring tells you who is sending as your domain and whether mail is aligned — but it does not block anything. A domain at p=none with the best monitoring in the world is still fully spoofable. Monitoring is a useful first step for visibility; protection only begins at enforcement.
What's the difference between DMARC monitoring and enforcement?
Monitoring is observation: collecting DMARC aggregate reports, parsing them, and showing you dashboards. Enforcement is action: advancing your DMARC policy to p=quarantine or p=reject so receiving servers actually divert or refuse forged mail. The difference is whether spoofed email is merely visible to you, or actually stopped.
Why is my domain stuck at p=none?
Because p=none is where monitoring ends and manual work begins. To advance safely you have to inventory every legitimate sender, get SPF and DKIM aligned, then move the policy to quarantine and reject without breaking real mail — by editing DNS yourself. That last mile is left to the customer, so most domains never take it and sit at p=none for years.
Does DMARC monitoring stop spoofing?
No. At p=none, receiving servers are explicitly told to take no action on mail that fails DMARC. Reports still arrive, so you can see the spoofing — but the messages are delivered. Only p=quarantine and p=reject instruct receivers to divert or refuse forged mail.
Do I still need monitoring if I enforce?
Yes — and you get it. Enforcement does not remove visibility; the aggregate reports keep flowing, and you still want them to catch new senders and detect problems. The point is that monitoring should be the dashboard on top of enforcement, not a substitute for it.
See which side your domain is on.
Scan free to see your policy today — then let the Agent move you from monitoring to enforcement.
Free · No signup