A Gmail message header reads “dmarc=fail (p=NONE … dis=NONE)” — yet the email arrived. You're not sure whether something is broken.
Gmail's Authentication-Results header reports both the published policy (p=) and the disposition Gmail actually applied (dis=). “dis=NONE” means Gmail took no action — but only because your policy is p=none (monitoring). The failure is real: the same message would be quarantined at p=quarantine or blocked at p=reject. So a delivered “dmarc=fail (p=NONE dis=NONE)” is a live warning that a legitimate sender isn't aligned and you have no spoofing protection yet. Source: Google Workspace — Troubleshoot DMARC · verified 2026-07-15
dis=NONE is not “passed” — it's “failed, but my policy is too soft to act”.p= toward quarantine, then reject — the disposition follows your policy.DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.
Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.
Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.