How to fix “dmarc=fail (p=NONE dis=NONE)” from Gmail

A Gmail message header reads “dmarc=fail (p=NONE … dis=NONE)” — yet the email arrived. You're not sure whether something is broken.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

Gmail's Authentication-Results header reports both the published policy (p=) and the disposition Gmail actually applied (dis=). “dis=NONE” means Gmail took no action — but only because your policy is p=none (monitoring). The failure is real: the same message would be quarantined at p=quarantine or blocked at p=reject. So a delivered “dmarc=fail (p=NONE dis=NONE)” is a live warning that a legitimate sender isn't aligned and you have no spoofing protection yet. Source: Google Workspace — Troubleshoot DMARC · verified 2026-07-15

How to fix it

Step 1. Read it correctly: dis=NONE is not “passed” — it's “failed, but my policy is too soft to act”.
Step 2. Identify which sender failed — your aggregate reports name each source (DMARCKeeper classifies them in plain English).
Step 3. Fix that sender's SPF/DKIM alignment and confirm it reaches 100% pass in reports.
Step 4. Only then tighten p= toward quarantine, then reject — the disposition follows your policy.

Frequently asked

How long until fixes take effect?

DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.

Does this apply if I send fewer than 5,000 emails a day?

Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.

Can I just ask my hosting provider to fix it?

Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →