Vulnerability : DMARC "p=none" / Email Spoofing

Hello,
we are receiving quite a few emails from “security researchers” claiming that is bad to use “p=none” with DMARC settings. We are using Cloudflare’s DMARC Management and it recommended to use that settings.
Is it something to worry about or can be safely ignored?
Thank you

Most often, I would ignore these “security researchers”, i.e. never pay them any money or similar, if they are reaching out to you unsolicited.

Always do your own research, exactly like you’re doing with this thread! :+1:

In this specific case, that is however correct.

A “p=none;” policy doesn’t actually do anything, and won’t be preventing spoofed messages, that appears as being from your domain.

I would see it more as a “default” setting, than a “recommendation”.

That depends on your personal feelings though.

I would always say aim for the strictest possible policy (e.g. SPF-all”, and DMARCp=reject; sp=reject, np=reject;”),.

However, as I have said previously, you would like to keep an eye on to the “Note”:

Building on what @DarkDeviL has shown, if you don’t yet know if all of your email sources are SPF and DKIM compliant, starting with a policy of none is safe. It will let you review the aggregate data from the DMARC reports. Once you have been monitoring for long enough to have confidence that your sources are compliant you can increase the severity of the policy. I like this explanation from dmarcian.