The Padlock Everyone Brags About Is Hanging on an Open Door — editorial illustration

read receipts

The Padlock Everyone Brags About Is Hanging on an Open Door

Your bank has DMARC. So does your airline. It's doing roughly nothing, and the setting that proves it is one word long.

·3 min read

Roughly nine in ten domains that publish a DMARC record have it set to p=none — the mode that tells the world exactly who's spoofing you and then waves them right through. Red Sift's analysis of the last decade puts real DMARC enforcement in the single digits for years, and even the optimistic vendor numbers still land the vast majority of records at none.

Here's the joke buried in that word. DMARC — spelled out in RFC 7489 — is the thing that decides what a receiving mail server should do when a message claiming to be from your domain fails the underlying checks. Those checks are SPF (is this server allowed to send for you?) and DKIM (is this message cryptographically signed by you?). DMARC sits on top and issues a verdict. p=none is the verdict that isn't one. It says: notice the fraud, log the fraud, mail me a report about the fraud — and deliver it anyway.

A smoke detector with the battery pulled out still hangs on the ceiling. It looks like protection. It photographs like protection. It just doesn't go off when the kitchen's on fire.

The two settings that actually bite are p=quarantine, which shoves failing mail to spam, and p=reject, which tells the receiver to bounce it before it lands. That's the whole game. A scammer forging [email protected] runs into a wall only if that bank published reject. If the bank published none — and most did — the forgery sails into the inbox looking exactly like the real thing, complete with the real logo pulled straight off the real website.

Why does everyone stall at none? Because none is the safe first step, and safe first steps have a way of becoming the permanent address. You're supposed to start there, read the reports, find every legitimate service sending on your behalf — the payroll vendor, the marketing platform, the ticketing tool nobody documented — get them all signing correctly, and then tighten to reject. That last move is the scary one. Flip to reject with a stray unauthenticated sender still in the wild and you black-hole your own invoices. So teams publish the record, tell the auditor it's handled, and never come back to finish. The report emails pile up unread. The battery stays out.

The casualty is you, the person reading the message. When a brand you trust leaves DMARC at none, "it came from their real domain" stops meaning anything, because a criminal's forgery passes the same eyeball test. This is precisely the gap we watch on the receiving end at xmail: a message can fail authentication cold and still arrive dressed as your utility company, because the utility company never told the internet to reject the fakes.

So here's a test you can run in about fifteen seconds. Take any brand that scared you with a "suspicious activity" email — pull up a public DMARC lookup and paste in their domain. If the policy reads p=none, that company is asking receivers to notice impersonation and do nothing about it. Millions of domains are quietly making that request every day.

The fix isn't more technology. It's the nerve to change one word from none to reject. The alarm already sees the smoke. Somebody just has to put the battery back in.

DMARC records stuck at p=none (no enforcement)

Sources

  1. IETFRFC 7489, the DMARC specification defining p=none, quarantine, and reject
  2. Red SiftState of DMARC adoption and enforcement analysis
  3. ValimailAnnual email fraud / DMARC enforcement reports

All articles