How do I fix “DMARC Policy Not Enabled” in 2025?
by
Reading Time: 7 min
The “DMARC policy not enabled” error returned during a reverse DNS lookup indicates the absence of a defined policy for your domain’s DMARC record. In a case where this error exists, your domain is not protected against spoofing and impersonation threats.
Through this article, we are going to take you through the various steps you need to implement to configure DMARC and set up the right policy for your domain so that you never have to come across the “DMARC policy not enabled” prompt again!
Key Takeaways
- The “DMARC Policy Not Enabled” error indicates your domain lacks a defined DMARC policy, leaving it vulnerable to spoofing and impersonation.
- Different DMARC policies can be set with varying levels of enforcement, including p=reject, p=quarantine, or p=none.
- Publishing your DMARC record with the chosen policy in the DNS is essential to fix the error and instruct email servers on handling unauthorized emails.
- Implementing DMARC enhances protection against phishing attacks and improves your brand’s credibility and email deliverability.
- Regularly monitoring DMARC reports is vital for tracking email authentication and enhancing your overall email security posture.
Fix “DMARC Policy Not Enabled” in 6 Steps
Step 1: Check Your Current DMARC Record
The first thing you should do is check if you already have a DMARC record published and what policy it’s set to. Use PowerDMARC’s free DMARC Lookup tool to instantly view your record and spot any errors.
If you don’t have a record at all, you’ll need to create one from scratch. If you do, check whether your policy (p=) is set to none, quarantine, or reject.
Step 2: Understand DMARC Policies
To fix the “DMARC Policy not enabled” error, we need to understand what a policy like such does and what the different types we can configure for our DMARC authentication system.
-
Reject unauthorized emails
You can configure your failure mode to be of maximum enforcement by rejecting all emails that fail authentication by setting the p= tag in your DMARC record to “reject“.
-
Book your unauthorized emails for review later
Keep your unauthorized emails on hold in the receiver’s quarantine box if you don’t want to discard them outright. This can be achieved by setting your p= tag to “quarantine“.
-
Do nothing, let unauthorized emails get delivered as is
You may not want to take any action against emails failing DMARC. In that case, simply set your p= tag to “none“.
The primary requirement of these modes is to offer domain owners the flexibility to choose how they want their recipients to react to emails that may be malicious or originate from sources that haven’t been specifically provided authority. It is an important step toward stopping domain impersonation.
Simplify “DMARC Policy Not Enabled” with PowerDMARC!
Step 3: Start with Monitoring (p=none)
Jumping straight to enforcement can backfire if your SPF or DKIM setup isn’t perfect. That’s why the safest first step is starting with p=none.
This lets you:
- Receive DMARC reports to see who is sending emails on behalf of your domain.
- Identify legitimate third-party senders (like marketing tools or CRMs).
- Avoid breaking email delivery during the setup phase.
With PowerDMARC, these raw reports are converted into easy-to-read dashboards, so you can see exactly what’s happening without digging into XML files.
Step 4: Enforce Your Policy (p=quarantine or p=reject)
Once you’ve monitored and validated all your email sources, it’s time to enforce.
Here’s how a DMARC record looks:
Monitoring (none):
v=DMARC1; p=none; rua=mailto:[email protected]
Quarantine:
v=DMARC1; p=quarantine; rua=mailto:[email protected]
Reject:
v=DMARC1; p=reject; rua=mailto:[email protected]
Move from none → quarantine → reject once you’re confident all legitimate senders are aligned.
Step 5: Implement the Record on Your DNS
This is critical. Your DMARC record needs to be published correctly in your DNS for it to take effect.
- Log in to your DNS hosting provider’s dashboard (e.g., Cloudflare, GoDaddy, Namecheap).
- Create a new TXT record with:
Host/Name: _dmarc
Type: TXT
Value: your DMARC record (e.g., v=DMARC1; p=none; rua=mailto:[email protected]).
- Save and wait for DNS propagation (can take a few hours).
Here I’m taking the example of Namecheap DNS for the setup:
- Log in to your DNS management console (you need access for this step, so contact your hosting provider or domain administrator for access).
- Go to Domain List
- Click on “Manage” for the domain you wish to enable DMARC policy for
- Select the “Advanced DNS” tab
- Click on “Add New Record”
- Create your DMARC record using our DMARC generator tool. Select your policy and enter an email address for your DMARC reports. Hit Generate.
- Copy the record syntax
- Paste the record value into your DNS
Tip: Always double-check for typos. Even a small error can break your DMARC setup.
Step 6: Monitor and Maintain
DMARC isn’t a one-time setup and requires ongoing monitoring and adjustments.
- Review DMARC reports regularly to track domain usage.
- Maintain SPF by updating it when adding or removing third-party senders.
- Keep DKIM keys rotated for stronger security.
- Adjust policies if you add new mail systems or services.
PowerDMARC simplifies this by centralizing everything into one platform, automating reporting, and alerting you about misconfigurations before they impact delivery.
The “DMARC policy not enabled” error should now be resolved for your domain.
Why Should You Enable DMARC Policy in the First Place?
Your domain is how customers recognize and trust your emails. If attackers spoof your domain and send fake emails pretending to be you, it can lead to phishing, fraud, and serious damage to your reputation.
DMARC (Domain-based Message Authentication, Reporting and Conformance) helps prevent this by making sure that only authorized sources can send emails using your domain. In simple terms, it’s a protective shield that tells mail providers that the email really came from you.
Without DMARC, your customers may receive convincing fake emails in your name, putting both them and your business at risk. By enabling a DMARC policy, you safeguard your brand, protect your customers, and build trust in every email you send.
How to Fix “DMARC Quarantine/Reject Policy Not Enabled”
Seeing this warning means your DMARC policy is set to p=none. That setting is fine for monitoring, but it doesn’t actively protect your domain from spoofing.
To fix it, you need to update your DMARC record so that it enforces a policy. Here’s how:
- Log in to your DNS management console.
- Locate your existing DMARC record (it begins with v=DMARC1).
- Change the policy value (p=) from none to either:
p=quarantine → suspicious emails go to spam folders.
p=reject → suspicious emails are blocked entirely.
Example Before and After
Before (monitoring only):
v=DMARC1; p=none; rua=mailto:[email protected]
After (with enforcement):
v=DMARC1; p=quarantine; rua=mailto:[email protected]
or
v=DMARC1; p=reject; rua=mailto:[email protected]
Once saved, give DNS some time to update (up to 48 hours) and then recheck using a DMARC lookup tool to confirm the change.
DMARC Best Practices
Setting up DMARC is only the first step. Following proven best practices will help you avoid mistakes, strengthen security, and ensure smooth email delivery.
- Always start with p=none: Begin in monitoring mode to collect data before enforcing stricter policies.
- Monitor for at least 2–4 weeks: This ensures you’ve identified all legitimate email sources before moving to quarantine or reject.
- Gradually move to enforcement: Shift from none → quarantine → reject once you’re confident everything is aligned.
- Use a DMARC analyzer: Raw XML reports are hard to read. Tools like DMARC analyzer make them clear and actionable.
- Keep SPF and DKIM updated: Update records when adding/removing senders and rotate DKIM keys regularly.
Frequently Asked Questions (FAQ)
1. How long does DNS propagation take?
Most changes appear within minutes, but full global propagation can take up to 24 – 48 hours. Always verify using a DMARC lookup tool after publishing.
2. What’s the difference between rua and ruf?
- rua: Aggregate reports that give you a daily summary of all DMARC activity.
- ruf: Forensic reports with details of individual failed messages (not always supported).
3. What if I don’t control all my email senders?
Identify all third-party platforms sending on your behalf (CRMs, marketing tools, etc.) and make sure they’re configured with SPF or DKIM. Keep your policy at p=none until everything is aligned.
4. How often should I check reports?
When starting out, review reports weekly to catch misalignments quickly. Once your setup is stable, monthly checks are enough, unless you add new services.
5. Do I need to update my DMARC record regularly?
The core DMARC record rarely changes, but you must update SPF/DKIM records when adding or removing email services, and rotate DKIM keys periodically for stronger security.
Cybersecurity Expert, CEO at PowerDMARC
Maitham is a tech entrepreneur, cybersecurity expert, CEO and Founder of PowerDMARC with 15+ years of industry experience. Maitham holds a Global MBA from the University of Manchester and various professional certifications including CISSP, CISM, CRISC, and ISC2 CCSP.
Latest posts by Maitham Al Lawati (see all)
- How do I fix “DMARC Policy Not Enabled” in 2025? - August 25, 2025
- What Is SPF Email Record? Function, Syntax, and Errors - August 22, 2025
- What Is Data Exfiltration? Detection and Prevention - August 7, 2025
