If a deliverability tool tells you "DMARC policy not enabled", your DMARC record exists but is set to p=none. That means receivers monitor but don't enforce — spoofers can still impersonate your domain.
p=none and you risk delivery throttling — and brand spoofing.Step 1 — Check your current DMARC record
- Run a DMARC lookup on your domain (MXToolbox or similar).
- Read the
p=tag.p=none= not enforced. - Verify SPF and DKIM are aligned and passing in your reports.
Step 2 — Move to a real enforcement policy
| Policy | What it does | When to use |
|---|---|---|
p=none | Monitor only | First weeks while you learn |
p=quarantine | Send unauthorized mail to spam | After alignment is clean |
p=reject | Reject unauthorized mail outright | Final, recommended state |
Step 3 — Update the DNS record
- Open your DNS zone for the domain.
- Edit the TXT record
_dmarc.yourdomain.com. - Replace
p=nonewithp=quarantine; pct=10first, then ramp up. - Add
rua=mailto:[email protected]to keep receiving aggregate reports. - Wait 24-48 h for DNS propagation, then re-test.
Pro tips before flipping to enforcement
- Inventory every service that sends from your domain (CRM, helpdesk, billing).
- Make sure each one passes SPF or DKIM alignment.
- Start with
pct=10, jump to 50, then 100 once reports stay clean.
Get DMARC right — for free with Mailpro
Mailpro signs every email with DKIM, gives you a verified SPF include, and helps you read DMARC reports without becoming an expert. Discover Mailpro DMARC · Deliverability hub
Related reading: