"DMARC Policy Not Enabled"

When you see a warning like "DMARC Quarantine/Reject policy not enabled," "DMARC policy not enabled," or "No DMARC protection," it means your domain has a DMARC record but its policy is set to none, which monitors only and does not act on failing mail.

If you are just starting out and want to observe your mail flow before enforcing, starting at p=none is the right move. But because a none policy offers no protection against spoofing, checkers will flag it to remind you that your domain is not yet actively protected against abuse and impersonation.

To resolve this, you move from monitoring to enforcement by changing the policy (p) from none to quarantine or reject. Importantly, do this only after your aggregate reports confirm that your legitimate mail is authenticating and aligning correctly, otherwise you risk quarantining or blocking your own valid email.

A safe path to enforcement looks like this:

First, monitor at p=none and review your RUA aggregate reports until you can see that all your legitimate sending sources pass SPF or DKIM with alignment.

Next, raise your policy. You can use the t tag (t=y),introduced in RFC 9989, to signal that you are testing, which asks receivers to apply the next-lower enforcement level while you confirm nothing legitimate is being caught. This replaces the staged rollout that the now-historic pct tag used to provide.

Then move to full enforcement. If your DMARC record was:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected];

an enforced record would be either:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected];

or:

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected];

Which one to choose depends on your mail. For domains that send only transactional or automated mail with no human users, p=reject is appropriate. For domains whose users post to mailing lists or whose mail is commonly forwarded, RFC 9989 recommends p=quarantine as the practical end state, since it protects strongly while reducing the risk of breaking legitimate forwarded mail. Either quarantine or reject clears the "policy not enabled" warning.

Fixing "DMARC Policy Not Enabled" on Cloudflare

If you use Cloudflare as your DNS provider, you may see this error. To resolve it:

• Log in to your Cloudflare account and open the DNS management console.
• Select your domain name.
• From the left-hand menu, select "DNS."
• In the DNS management section, click "Add record."

NOTE: When creating your DMARC record, make sure you set an appropriate policy. The p field should not be left blank.

• Set Type to "TXT," TTL to "Auto," Name to "_dmarc," and paste your generated record into the Content/Value field.
• Save the record.