---
title: "Resolving the ‘DMARC policy not enabled’ error | DuoCircle"
description: "The common ‘DMARC policy not enabled’ error pops up during a reverse DNS lookup, indicating that no valid policy is defined in your domain’s DMARC record."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/dmarc/resolving-the-dmarc-policy-not-enabled-error/"
---

Quick Answer

The 'DMARC policy not enabled' error means the DMARC TXT record at \_dmarc.yourdomain has no valid p= tag, so receivers have no instruction for handling failures. Fix it by publishing a record with one of three policies: p=none (monitor only, no enforcement, useful while reviewing aggregate reports during rollout); p=quarantine (failures land in spam); p=reject (failures are blocked outright). Start at p=none with rua= reporting, review reports for legitimate sources, fix SPF and DKIM gaps, then move to p=quarantine and finally p=reject for full spoofing protection.

Resolving the ‘DMARC policy not enabled’ error

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/06/Resolving-the-‘DMARC-policy-not-enabled-error.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc%2Fresolving-the-dmarc-policy-not-enabled-error%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Resolving%20the%20%E2%80%98DMARC%20policy%20not%20enabled%E2%80%99%20error&url=undefined%2Fblog%2Fdmarc%2Fresolving-the-dmarc-policy-not-enabled-error%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc%2Fresolving-the-dmarc-policy-not-enabled-error%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc%2Fresolving-the-dmarc-policy-not-enabled-error%2F&title=Resolving%20the%20%E2%80%98DMARC%20policy%20not%20enabled%E2%80%99%20error "Share on Reddit") [ ](mailto:?subject=Resolving%20the%20%E2%80%98DMARC%20policy%20not%20enabled%E2%80%99%20error&body=Check out this article: undefined%2Fblog%2Fdmarc%2Fresolving-the-dmarc-policy-not-enabled-error%2F "Share via Email") 

![Resolving DMARC policy](https://media.mailhop.org/duocircle/images/2025/06/sender-policy-framework-7732.jpg) 

The common ‘DMARC policy not enabled’ error pops up during a reverse DNS lookup, indicating that no valid policy is defined in your domain’s DMARC record. Without a DMARC policy, a [DMARC record](/resources/dmarc-records) is of no use, it provides no protection from phishing and [spoofing emails](https://www.bleepingcomputer.com/news/google/google-now-blocks-spoofed-emails-for-better-phishing-protection/) sent from your domain.

This easy guide will help you set up the right [DMARC policy](/resources/dmarc-policy) for your domain. The three options to choose from are **p=none, p=quarantine, and p=reject**. Let’s first start with the two-step solution to the ‘DMARC policy not enabled error.’

## Define a suitable policy for your DMARC record

To get rid of the ‘DMARC policy not enabled error,’ you first need to understand what each of the policy do and which one is **suitable for your domain**. 

### What does the ‘None’ policy do?

The ‘None’ policy doesn’t offer any protection against phishing and spoofing emails sent from your domain. This is because it is the ‘**monitoring’ policy**. It tells the receiving mail servers to take no action if emails from your domain fail the authentication checks ([SPF](https://autospf.com/blog/spf-guide-understanding-sender-policy-framework/) or DKIM, or both).

[![email deliverability](https://media.mailhop.org/duocircle/images/2025/06/spf-record-generator-7732.jpg)](https://media.mailhop.org/duocircle/images/2025/06/spf-record-generator-7732.jpg)

_This means that even if an email fails DMARC, it will still be delivered to the recipient’s inbox, but the domain owner will receive aggregate reports detailing these failures_. The ‘None’ policy is typically used during the initial phase of DMARC deployment to help organizations analyze [email traffic](https://emailanalytics.com/email-traffic/), identify **legitimate sources**, and detect potential spoofing attempts, without affecting [email deliverability](/a-guide-on-email-deliverability) or causing disruptions to real senders.

### What does the ‘Quarantine’ policy do?

_The ‘Quarantine’ policy is stricter than the ‘None’ policy. It tells the receiving mail servers to proceed with unauthenticated emails with caution_. It essentially instructs it to direct such emails to the [spam folders](https://cybernews.com/news/microsofts-breach-notification-emails-end-up-in-spam-folder/), serving as a warning system. It protects recipients from potential spoofed messages while still allowing the **domain owner to monitor** what’s going wrong.

### What does the ‘Reject’ policy do?

The ‘Reject’ policy is the strictest one as it instructs the receiving [mail servers](https://www.techtarget.com/whatis/definition/mail-server-mail-transfer-transport-agent-MTA-mail-router-Internet-mailer) to outright deny entry to emails that fail DMARC checks. With this DMARC policy in place, there is no possibility of a targeted victim interacting with a potentially [fraudulent message](https://www.usatoday.com/story/tech/news/2025/05/30/dmv-text-message-scam/83944066007/) and getting duped. However, if there is a case of a false positive, the ‘Reject’ policy will cause even genuine emails to get rejected, impacting communication. This is why many domain owners lack the confidence to **implement this policy**.

[![Potential Spoofed Messages](https://media.mailhop.org/duocircle/images/2025/06/hosted-email-server-9021.jpg)](https://media.mailhop.org/duocircle/images/2025/06/hosted-email-server-9021.jpg)

## Publish or republish the DMARC record with a suitable policy

Once you have chosen the right DMARC policy, it’s time to publish or republish your DMARC record. If you have never had a DMARC record, then you need to generate one using an online generator tool and publish it in your **domain’s DNS**. However, if you already have one and it’s just missing the policy, then simply include the ‘p=’ tag with the suitable policy, such as p=none, p=quarantine, or p=reject. After that, just go ahead and republish the record.

Without the ‘policy’ tag, the [DMARC](/resources/what-is-dmarc) setup is not only incomplete but entirely useless. This is because no instructions are sent to the **receiving servers** on how to handle suspicious emails. 

By adding this, you give clear instructions, and it should fix the ‘DMARC policy not enabled’ error for your domain.

[![suspicious emails](https://media.mailhop.org/duocircle/images/2025/06/spf-record-7732.jpg)](https://media.mailhop.org/duocircle/images/2025/06/spf-record-7732.jpg)

## Fixing the ‘DMARC quarantine/reject policy not enabled’ error

If you see a warning like ‘DMARC policy not enabled,’ ‘No DMARC protection,’ or ‘DMARC Quarantine/Reject policy not enabled,’ it just means that your domain’s DMARC is set to ‘None.’ This setting only lets you monitor email activity, but doesn’t actually stop suspicious or [fake emails](https://www.usatoday.com/story/money/columnist/2023/09/21/ai-cyber-scams-security/70920106007/) from being delivered.

_If your domain or DMARC record is new, then it’s suggested to use the ‘None’ policy. This is because it works by helping you only_ _monitor the email traffic and take no action_. When your domain or DMARC record is new, there is a high chance of false positives and negatives, things take time to settle in. So, with this lenient policy, you can see who all are **sending emails on your behalf**. This will help you spot unauthorized senders while also letting you know if you missed listing any of your genuine senders as ‘authorized’ (in the SPF record).

After 3-4 weeks, you can gradually move to the less forgiving DMARC policies, which are ‘Quarantine’ and ‘Reject.’

Here is how your DMARC record should look if you have implemented the ‘Quarantine’ policy-

v=DMARC1; p=quarantine; rua=mailto:[example@domain.com](mailto:example@domain.com); ruf=mailto:[example@domain.com](mailto:example@domain.com);

Here is how your DMARC record should look if you go ahead with the ‘Reject’ policy-

v=DMARC1; p=reject; rua=mailto:[example@domain.com](mailto:example@domain.com); ruf=mailto:[example@domain.com](mailto:example@domain.com);

## The right way to transition from p=quarantine to p=reject

_Shifting from p=quarantine to p=reject takes some strategy, unless you don’t mind tossing your email deliveries upside down_. As much as this transition sounds daunting for your email deliveries, it’s important for ensuring protection against phishing and spoofing. That’s why this process needs to be conducted carefully to avoid blocking legitimate emails.

[![email deliveries](https://media.mailhop.org/duocircle/images/2025/06/spf-record-check-7732.jpg)](https://media.mailhop.org/duocircle/images/2025/06/spf-record-check-7732.jpg)

Here’s how you can go about it-

### Regularly review your DMARC reports

Read your aggregate [DMARC reports](/content/dmarc-report) for a **few weeks or months**. See if the emails that are failing the DMARC checks are actually sent by unauthorized senders, or if this is happening because of false positives. You may also spot emails failing from genuine senders because their IP addresses or mail servers aren’t listed in the SPF record.

### Fix any authentication gaps

Ensure all your legitimate email sources are correctly configured with SPF and [DKIM](/resources/what-is-dkim). If any valid source fails authentication, first fix the setup. You may need to update your SPF records, add DKIM signing, or correctly include third-party senders.

### Gradually tighten control using the ‘percentage’ tag (pct tag)

Proceed gradually using the ‘percentage’ tag that allows you to apply the ‘reject’ policy to a prespecified percentage of outgoing emails. For example, start with p=reject; pct=25 to apply the reject policy to 25% of failing emails. Slowly increase the percentage over time, 50%, then 75%, and finally 100%

[![SPF records](https://media.mailhop.org/duocircle/images/2025/06/spf-record-tester-7904.jpg)](https://media.mailhop.org/duocircle/images/2025/06/spf-record-tester-7904.jpg)

_However, please note that you must continue to monitor the DMARC reports to increase the percentage_. Suppose you increased the percentage from 50% to 80%, and some of the genuine emails are failing DMARC, then **adjust it back to 50%**. The ‘reject’ policy is not forgiving; false positives simply mean hampered communication.

### Keep monitoring after moving to p=reject

Even after moving to p=reject, continue reviewing your DMARC reports. This helps ensure that no [legitimate emails](https://www.trendmicro.com/vinfo/us/security/definition/legitimate-bulk-emails) are accidentally blocked and confirms that your domain is well-protected.

## DMARC demands proactiveness!

DMARC is not a one-time job. You must continually evaluate the reports and adjust the SPF, DKIM, and DMARC records accordingly. Our experts at [DuoCircle](/) can do all this and more for you, helping you with email protection and improved deliverability. [Contact us](/contact) today to know more.

## Topics

DKIMDMARCSecurityspfSPF record 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  DMARC 7m  Cloudflare’s new SPF, DKIM, and DMARC requirements  Jul 18, 2025 ](/blog/dmarc/cloudflares-new-spf-dkim-and-dmarc-requirements/)[  DMARC 5m  Configuring SPF, DKIM, and DMARC for Loops.so: A guide  Oct 28, 2025 ](/blog/dmarc/configuring-spf-dkim-and-dmarc-for-loops-so-a-guide/)[  DMARC 6m  Dealing with DMARC failures: Here’s how you can fix the errors  Apr 4, 2025 ](/blog/dmarc/dealing-with-dmarc-failures-how-to-fix-errors/)[  DMARC 5m  DMARC is now mandatory in New Zealand: Here’s what the NZ government expects  Jul 9, 2025 ](/blog/dmarc/dmarc-mandatory-new-zealand-nz-government-email-security-requirements/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Resolving the ‘DMARC policy not enabled’ error","description":"The common ‘DMARC policy not enabled’ error pops up during a reverse DNS lookup, indicating that no valid policy is defined in your domain’s DMARC record.","url":"https://www.duocircle.com/blog/dmarc/resolving-the-dmarc-policy-not-enabled-error/","datePublished":"2025-06-20T16:14:48.000Z","dateModified":"2025-06-20T16:18:45.000Z","dateCreated":"2025-06-20T16:14:48.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/resolving-the-dmarc-policy-not-enabled-error/"},"articleSection":"dmarc","keywords":"DKIM, DMARC, Security, spf, SPF record","wordCount":1129,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/06/sender-policy-framework-7732.jpg","caption":"Resolving DMARC policy","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"DMARC"},{"@type":"ListItem","position":3,"name":"Resolving the ‘DMARC policy not enabled’ error","item":"https://www.duocircle.com/blog/dmarc/resolving-the-dmarc-policy-not-enabled-error/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"DMARC","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Resolving the ‘DMARC policy not enabled’ error","item":"https://www.duocircle.com/blog/dmarc/resolving-the-dmarc-policy-not-enabled-error/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Resolving the ‘DMARC policy not enabled’ error","description":"The common ‘DMARC policy not enabled’ error pops up during a reverse DNS lookup, indicating that no valid policy is defined in your domain’s DMARC record.","url":"https://www.duocircle.com/blog/dmarc/resolving-the-dmarc-policy-not-enabled-error/","datePublished":"2025-06-20T16:14:48.000Z","dateModified":"2025-06-20T16:18:45.000Z","dateCreated":"2025-06-20T16:14:48.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/resolving-the-dmarc-policy-not-enabled-error/"},"articleSection":"dmarc","keywords":"DKIM, DMARC, Security, spf, SPF record","wordCount":1129,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/06/sender-policy-framework-7732.jpg","caption":"Resolving DMARC policy","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```