You published DMARC with p=none months ago and nothing changed: spoofing still possible, reports pile up unread.
p=none is monitoring only. It tells receivers to deliver everything normally and just send you reports. More than half of all domains with DMARC never move past it (2026 adoption data) — which means no protection at all.
p=quarantine; pct=25 — a quarter of failing mail goes to spam, your fixed senders are untouched.p=reject. That's the only setting that blocks spoofing.DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.
Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.
Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.