With IdentitiesOnly, any explicitly configured via IdentityFile, or the default identity file if none are configured explicitly, is/are still sent. Using "-i /dev/null" in combination with IdentitiesOnly prevents that.

Interesting. If you're right, the manual leaves out the rather critical "or the default identity file" bit:

> Specifies that ssh(1) should only use the authentication identity and certificate files explicitly configured in the ssh_config files or passed on the ssh(1) command-line, even if ssh-agent(1) or a PKCS11Provider offers more identities.

I verified the behavior with ssh -vv (macOS Sierra).

Or just never install an identity in the default location (.ssh/id_*)