Your DMARC record exists, but it’s stuck on p=none (monitoring only). This means you’re collecting data about email authentication failures without taking action — leaving your domain vulnerable to spoofing.
Here’s how to enable enforcement and protect your sender reputation.
Check your current DMARC policy
Start by confirming what’s actually in your DMARC record (you might already be in quarantine or reject without knowing it).
Run a DMARC lookup using MXToolbox or DMARCian. Look for the p= tag:
| Policy tag | What it means | Action taken |
| p=none | Monitoring only | No action on failed emails |
| p=quarantine | Treat as spam | Failed emails go to spam/junk |
| p=reject | Block outright | Failed emails never delivered |
If you see p=none, you need to change it. If you see p=quarantine or p=reject, your policy is already enabled (skip to troubleshooting at the end).
Prepare for policy enforcement
Don’t jump straight to p=reject. You need to make sure all your legitimate email sources pass authentication first (or you’ll block your own emails).
Review your DMARC aggregate reports for at least 2-4 weeks. Check for:
- Any legitimate senders failing SPF or DKIM checks
- Third-party services sending on your behalf (marketing tools, CRMs, support desks)
- Forwarded emails that break authentication
Fix authentication failures before changing your policy. Add missing IP addresses to SPF, configure DKIM signing for all platforms, or switch forwarding setups to preserve authentication.
If you’re unsure how your current emails are performing, run a free email deliverability test to see exactly where your messages land.
Update your DMARC policy to quarantine
Once you’ve confirmed all legitimate senders are passing authentication, update your DMARC TXT record.
Log in to your DNS provider (wherever you manage domain records—GoDaddy, Cloudflare, Namecheap, etc.) and locate your DMARC record. It looks something like this:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.comChange p=none to p=quarantine:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.comSave the record. DNS changes typically take minutes to propagate, but can take 24-48 hours depending on TTL and caching.
With p=quarantine enabled, emails failing authentication will land in spam folders instead of inboxes. This gives recipients a chance to review suspicious mail before it’s permanently blocked.
Move to reject policy (maximum protection)
After running p=quarantine for 2-4 weeks without issues (no legitimate emails getting spam-foldered), you can move to p=reject.
Update your DMARC record again:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.comThe p=reject policy tells receiving servers to deny unauthenticated emails entirely. Failed messages never reach the recipient—not even the spam folder.
This is the strongest protection against spoofing and unauthorized use of your domain. But it’s also unforgiving (legitimate emails misconfigured in this way will bounce), which is why you must test quarantine first.
Monitor after policy changes
Keep checking your DMARC reports after every policy update. Watch for:
- Sudden increases in failed authentication from legitimate sources
- Bounce messages or delivery complaints from customers
- Drops in email engagement metrics (opens, clicks)
If legitimate emails start failing, roll back to p=quarantine and fix the authentication issues before trying p=reject again.
Use the email spam checker extension to test your email deliverability with seed lists directly in Gmail or Outlook (it estimates placement trends before you send to your full list, helping you catch issues early).
Troubleshooting: Policy enabled, but still seeing the error
If your DMARC record shows p=quarantine or p=reject but you’re still getting “policy not enabled” errors, check these:
- DNS propagation delay — Wait 24 hours after making changes
- Subdomain policy missing — Add sp=quarantine or sp=reject to cover subdomains
- Percentage tag limiting enforcement — Remove pct= tags (or set to pct=100)
- Multiple DMARC records — Delete duplicate records—you can only have one
If you’re still stuck, check if your domain is blacklisted or if there are other reasons your emails are going to spam.
Still experiencing deliverability issues?
If DMARC enforcement didn’t solve your delivery problems (or if it’s causing legitimate emails to fail), you don’t have to figure it out alone. You can schedule a free consultation with an email deliverability expert who can audit your full setup (SPF, DKIM, DMARC, IP reputation) and get you back to the inbox.
Frequently asked questions
Here are some frequently asked questions about DMARC quarantine:
Minutes to 24-48 hours, depending on TTL and caching. Use a DMARC checker to confirm the new record is live.
Yes, if those services don’t preserve authentication. Move to p=reject slowly and monitor reports to catch these issues.
Yes, use the sp= tag in your main DMARC record to set subdomain policy separately (e.g., sp=quarantine while the main domain uses p=reject).
Start with pct=10 (enforces policy on 10% of failed emails), then increase to 25, 50, 75, and finally 100 as confidence grows.
Check DMARC aggregate reports for your own domain in the “fail” section, or ask recipients to check spam folders and forward bounce messages.
