Posts

If you keep coming across the prompt “ DMARC policy not enabled” for your domain, that means that your domain is not protected against spoofing and impersonation with DMARC email authentication. You may often encounter this prompt while conducting reverse DNS lookups for your domain. However, it often has an easy fix to it. Through this article, we are going to take you through the various steps you need to implement to configure DMARC and set up the right policy for your domain so that you never have to come across the “DMARC policy is not enabled” prompt again!

Configuring DMARC to Protect Against Spoofing 

DMARC, which is the abbreviation for Domain-based Message Authentication, Reporting and Conformance, is a standard for authenticating outbound email messages, to ensure that your domain is adequately protected against BEC and direct-domain spoofing attempts. DMARC works by aligning the Return-path domain (bounce address), DKIM signature domain, and From: domain, to look for a match. This helps to verify the authenticity of the sending source and stops unauthorized sources from sending emails that appear to be coming from you.

Your company domain is your digital storefront that is responsible for your digital identity. Organizations of all sizes make use of email marketing to gain reach and engage their clients. However, if your domain gets spoofed and attackers send out phishing emails to your customers, that drastically impacts not only your email marketing campaigns, it also takes a toll on the reputation and credibility of your organization. This is why adopting DMARC becomes imperative to safeguarding your identity.

In order to start implementing DMARC for your domain:

  • Open your DNS management console
  • Navigate to the records section
  • Publish your DMARC record which you can generate easily using our free DMARC record generator tool and specify a DMARC policy to enable it for your domain (this policy will specify how the receiving MTA responds to messages failing authentication checks)
  • It can take 24-48 hours for your DNS to process these changes, and you’re done!
  • You can verify the correctness of your record using our free DMARC record lookup tool after configuring it for your domain

How to Fix “DMARC Quarantine/Reject Policy Not Enabled”

When you get a warning of “DMARC Quarantine/Reject policy not enabled” or sometimes just “DMARC policy not enabled” or “ No DMARC protection” that simply indicates to your domain is configured with a DMARC policy of none that allows monitoring only.

If you are just starting out on your email authentication journey, and you want to monitor your domains and email flow to ensure smooth email delivery, then we recommend you start off with a DMARC policy of none. However, a none policy offers zero protection against spoofing, and hence you will come across the frequent prompt: “DMARC policy not enabled”, where you are reminded that your domain isn’t adequately protected against abuse and impersonation.

In order to fix this, all your need to do is modify the policy mechanism (p) in your DMARC record from p=none to p=reject/quarantine, and thereby shift to DMARC enforcement. If your DMARC record was previously:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected];

Your optimized DMARC record will be:

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected];

Or, v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected];

I Fixed “DMARC Policy Not Enabled”, What Next?

After resolving the “DMARC policy not enabled” prompt, monitoring domains should be a continuous process to ensure DMARC deployment doesn’t affect your email deliverability, rather improves it. DMARC reports can help you gain visibility on all your email channels so that you never miss out on what’s going on. After opting for a DMARC enforcement policy, PowerDMARC helps you view your email authentication results in DMARC aggregate reports with easy-to-read formats that anyone can understand. With this, you might be able to see a 10% increase in your email deliverability rate over time.

Moreover, you need to ensure that your SPF doesn’t break due to too many DNS lookups. This can lead to SPF failure and impact email delivery. Dynamic SPF is an easy fix to stay under the SPF hard limit as well as updated on any changes made by your ESPs at all times.

Make your DMARC deployment process as seamless as it can get, by signing up with our free DMARC analyzer today!

Learn how to Publish a DMARC record

Before we proceed towards publishing a DMARC record, it is important to understand what is a DMARC record? A DMARC record is nothing but a DNS TXT record that can be published in your domain’s DNS (Domain Naming System) so as to configure Domain-Based Message Authentication, Reporting, and Conformance or DMARC for your domain. By configuring DMARC for your domain you as the domain owner now have the ability to specify to receiving servers how they should respond to emails that are sent from unauthorized or illegitimate sources.

Instructions for Generating Your DMARC Record

The process for generating your DMARC DNS Record is extremely simple if you use our free DMARC record generator tool for this purpose. All you need to do is fill up the following criteria:

  • Choose your DMARC policy mode(if you are just starting out with email authentication, we recommend a policy of p=none for you to begin with so you can monitor your email flow)
  • Choose the DMARC policy mode for your subdomains ( we recommend you to only activate this criteria if you wish to opt for a different policy for your subdomains, else, by default it takes up the same policy as your main domain)
  • Type in your desired email addresses wherein you want your DMARC RUA (aggregate) and RUF (Forensic) reports to be delivered to
  • Choose your DKIM alignment mode (for strict alignment the DKIM signature in the email header has to match exactly with the domain found in the from header. For relaxed alignment the two domains must share the same organizational domain only)
  • Choose your SPF alignment mode (for strict alignment the domain in the Return-path header has to match exactly with the domain found in the from header. For relaxed alignment the two domains must share the same organizational domain only)
  • Choose your forensic options (this represents under which circumstances you want to receive your forensic reports)

A typical error-free DMARC record looks something like this:

v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

The generated record is now to be published in your domain’s DNS on the subdomain: _dmarc.YOURDOMAIN.com

How to Publish Your DMARC Record? 

In order to publish your generated DMARC record, you will need to log in to your DNS console and navigate to the specific domain for which you want to configure DMARC.

After navigating to the domain in your DNS management console, you will need to specify the hostname and the resource type. Since DMARC exists in your domain as a DNS TXT record, the resource type for it is TXT, and the hostname to be specified in this case is : _dmarc 

Finally, you need to add the value of your DMARC record (the record you generated previously): v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

Save changes to the whole process and you have successfully configured DMARC for your domain!

What Should be My Next Steps?

After you are done publishing your DMARC record your next step should be to focus on protecting your domain from scammers and impersonators. That is your main agenda anyway when you are implementing security protocols and email authentication services. Simply publishing a DMARC record with a p=none policy doesn’t offer any protection against domain spoofing attacks and email fraud. For that you need to shift to DMARC enforcement.

What is DMARC Enforcement?

You can achieve DMARC enforcement if you implement a DMARC policy mode of p=reject or p=quarantine. For maximum protection from domain spoofing attacks and BEC, we recommend a policy mode of reject.  However, the process for achieving DMARC enforcement isn’t as simple as changing your policy mode from monitoring to enforcement. To gain immunity from impersonation attacks all while making sure that your email deliverability doesn’t get impacted, what you need to do is:

  • Sign up with PowerDMARC and enable DMARC reporting for your domain
  • Get daily DMARC RUA reports on email authentication results available in an array of viewing options for ease of understanding
  • Get forensic report updates on the dashboard whenever emails fail authentication
  • Stay under the SPF hard limit to ensure your SPF record never gets invalidated

With DMARC aggregate and forensic reports, moving from monitoring to enforcement becomes a cakewalk for domain owners, as you can visually monitor your email flow and track and respond to deliverability issues instantaneously from the PowerDMARC platform. Sign up today for your free DMARC analyzer trial!