Resolving ‘DMARC Quarantine/Reject Policy Not Enabled’

If you get the warning ‘DMARC quarantine/reject policy not enabled’ when scanning your domain to verify its email authentication records, then your domain’s DMARC policy is set to p=none. This means that although DMARC is configured, unauthenticated emails sent from your domain won’t be flagged or blocked by mail servers, leaving your domain open to spoofing. P=none is a good place to start with your DMARC policy, but it’s vital to move to p=reject quickly to protect your domain.

Three Steps to Fix ‘DMARC Quarantine/Reject Policy Not Enabled’

1. Evaluate Your Existing DMARC Policy

Analyze the data in your DMARC reports to identify trends, such as which sending sources are passing or failing authentication checks on mail servers. Look at your Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) alignment, and ensure that all legitimate email senders are passing validation. Identifying potential unauthorized sources attempting to send emails from your domain is essential.

Evaluating this data helps ensure you’re ready to move from a monitoring-only policy (p=none) to an enforcement policy (quarantine or reject) without impacting your legitimate email traffic. 

Aggregate reports provide a holistic view of all sending sources. This data allows for identifying any ‘Non-Compliant’ sources that need analysis and correction to ensure proper authentication. EasyDMARC makes this process straightforward by gathering DMARC reports and parsing them into an easy-to-read format, dividing them into four dedicated tabs to streamline your monitoring and enforcement project. These segments highlight critical data, helping customers focus on’ Non-Compliant’ sources to fix unauthenticated legitimate email flows while also reviewing ‘Compliant’ sources to address any issues, particularly with DKIM, as needed.

EasyDMARC has also identified over 1,400 unique email sending sources, each with tailored guidance for remediation. Customers can simply click on any source in our reports to access step-by-step instructions for configuring that specific ESP, helping resolve issues quickly and effectively.

2. Develop an Effective DMARC Policy

Once you’ve gathered enough data and ensured that your SPF and DKIM records are properly configured, the next step is to transition from p=none to p=quarantine. Over time, when you are sure that authorized sources are passing authentication consistently, you can transition to p=reject.

Ensure any impacted internal teams (such as IT, customer support, or marketing) are aware of these adjustments and are prepared to address any temporary issues that could arise from the stricter policy. Also, consult your DNS hosting provider to ensure all DNS records are updated correctly.

3. Implement Your Updated DMARC Policy

To implement your updated policy, log into your DNS hosting provider’s dashboard and modify your DMARC TXT record to reflect the desired policy. EasyDMARC makes this process much easier for our customers, as our managed DMARC tool allows domain administrators to change any DMARC policy in just one click without needing to make changes in their DNS zone each time. Unlike the traditional method of using TXT records for DMARC implementation, managed DMARC services leverage CNAME records. This approach simplifies the DNS configuration process.

For a quarantine policy, set p=quarantine; for a stricter policy, set p=reject. Your transition from p=quarantine to p=reject should be gradual. In addition to updating the policy, ensure that your reporting addresses (rua for aggregate reports and ruf for forensic reports) are correctly configured to receive daily or real-time reports.

After implementation, it’s crucial to continuously monitor DMARC reports to catch any misconfigurations or issues early, allowing you to make adjustments and ensure smooth email delivery while maximizing protection. Your email server will now reject or quarantine emails based on your updated policy, preventing unauthorized emails from reaching your users.

Furthermore, keep monitoring for unauthorized email sources to ensure the integrity of your domain remains intact after the enforcement change. This ongoing oversight is critical to maintain the security improvements by enabling quarantine or reject policies.

Read our detailed blog on how to set up DMARC.

Fixing Warning ‘DMARC Policy Not Enabled for Cloudflare’

If Cloudflare is your DNS provider, to resolve the warning message ‘DMARC Policy Not Enabled Cloudflare,’ do the following:

1. Go to Cloudflare and log in to your account.

2. In your Cloudflare dashboard, navigate to the DNS section for your domain.

3. Generate a DMARC record with our EasyDMARC DMARC Record Generator and copy the value.

4. Click Add Record.

• Set Type to TXT
• Name should be _dmarc
• Paste the code from our DMARC Record Generator 
• Ensure you include a DMARC policy value (p=quarantine or p=reject)

5. After adding or updating your DMARC record, it may take a few minutes to a few hours to propagate.

6. Verify the record using EasyDMARC’s Domain Scanner.

Fixing Warning ‘DMARC Policy Not Enabled for GoDaddy’

If GoDaddy is your DNS provider, here’s how to fix the warning message ‘DMARC Policy Not Enabled GoDaddy’:

1. Log into GoDaddy and go to the Domain Manager.

2. Select your domain and click ‘DNS’ to access the DNS management page.

3. Generate a DMARC record with our EasyDMARC DMARC Record Generator and copy the value.

4. Click Add Record.

• Set Type to TXT
• Name should be _dmarc
• Paste the code from our DMARC Record Generator 
• Ensure you include a DMARC policy value (p=quarantine or p=reject)

5. After adding or updating your DMARC record, it may take a few minutes to a few hours to propagate.

6. Verify the record using EasyDMARC’s Domain Scanner.

Benefits of a Robust DMARC Policy

Implementing a strict DMARC policy (either quarantine or reject) provides several significant benefits:

1. Protection Against Spoofing: A reject policy prevents malicious actors from using your domain to send fraudulent or malicious emails, protecting your brand’s reputation and your recipients from phishing attacks.
2. Improved Deliverability: Over time, having a robust DMARC policy improves your domain’s reputation with email servers, leading to better email deliverability for legitimate messages.
3. Clear Visibility: With DMARC aggregate and forensic reports, you gain valuable insights into how your domain is being used, enabling you to take corrective action. The reporting features also help you identify potential misconfigurations in your DNS records, ensuring that legitimate emails are delivered correctly.
4. Enhanced Email Security: By enforcing a quarantine or reject policy, you add an extra layer of security, ensuring that only legitimate emails reach your recipients. Your DNS hosting provider can help maintain and monitor your DNS records, keeping your domain secure over time.
5. Eligibility for BIMI Implementation: With a quarantine or reject DMARC policy, you can implement Brand Indicators for Message Identification (BIMI) for certain email providers like Gmail, Yahoo Mail, and Fastmail. This email standard allows businesses to display their logos next to authenticated emails in recipients’ inboxes. BIMI enhances brand visibility and provides a visual trust signal to recipients.

Read more about Google BIMI and CMCs

Conclusion

Resolving the “DMARC quarantine/reject policy not enabled” issue is crucial in improving your domain’s email security. By evaluating your current DMARC policy, developing an appropriate enforcement strategy, and implementing stricter DMARC settings, you can significantly reduce the risk of email spoofing and phishing attacks.

Moving gradually to a DMARC reject policy ensures maximum protection for your domain and boosts your brand’s credibility, email deliverability, and long-term security against malicious email campaigns. Get in touch so we can help you move safely from p=none to p=reject.