DMARC Quarantine/Reject Policy Not Enabled: What It Means and How to Fix It
Seeing 'DMARC quarantine/reject policy not enabled' in a security audit? Learn what this warning means, why it matters, and how to safely enable DMARC enforcement.
If you've seen the message "DMARC quarantine/reject policy not enabled" in a security audit, email deliverability tool, or compliance report, it means your domain's DMARC policy is set to p=none — monitoring only, no enforcement.
This isn't broken, but it means DMARC isn't actively protecting your domain from spoofing. Here's what it means and how to safely move to enforcement.
What the Warning Means
Your DMARC record currently looks something like:
v=DMARC1; p=none; rua=mailto:[email protected]
The p=none policy tells receiving servers: "Check DMARC alignment, send me reports, but don't do anything about failures." Emails that fail DMARC are still delivered.
This is a valid starting point — p=none lets you collect data before enforcing. But staying at p=none indefinitely means:
- Anyone can spoof your domain and emails will still be delivered
- You don't get the full deliverability benefit of DMARC
- Security audits will continue flagging this as a weakness
- Google and Yahoo increasingly favor senders with enforcement policies
The Three DMARC Policies
| Policy | What Happens to Failing Emails | Protection Level |
|---|---|---|
| p=none | Nothing — delivered normally | Monitoring only — no protection |
| p=quarantine | Sent to spam/junk folder | Moderate — spoofed emails are filtered |
| p=reject | Rejected entirely — not delivered | Full — spoofed emails are blocked |
Why You Should Enable Enforcement
Security
p=none means anyone can send email pretending to be your domain. With p=quarantine or p=reject, spoofed emails are filtered or blocked, protecting your brand and your contacts from phishing.
Deliverability
Mailbox providers trust senders with enforcement policies more than those with p=none. Google has stated that enforcement policies are a positive signal for deliverability.
Compliance
Many security frameworks and compliance standards (SOC 2, NIST, PCI DSS) recommend or require DMARC enforcement. The "policy not enabled" warning in audits won't go away until you move beyond p=none.
Check your DMARC status
Run a free check on your domain to see your current DMARC policy and authentication status.
How to Safely Enable DMARC Enforcement
Moving directly from p=none to p=reject is risky. If any legitimate sender isn't properly authenticated, their emails will be rejected. Use a gradual approach:
Analyze your DMARC reports
If you have rua configured, review your aggregate reports. Identify every source that sends email from your domain. Make sure every legitimate source passes SPF or DKIM alignment.
Fix authentication gaps
For any legitimate sender that fails DMARC alignment:
- Add their SPF include to your record
- Set up DKIM signing for your domain through their platform
- Verify alignment is working
Check your authentication after making changes.
Move to p=quarantine with pct=10
Start small. Apply quarantine to only 10% of failing messages:
v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]
This means 90% of failing messages are still delivered normally, and only 10% go to spam.
Monitor and increase
Watch your DMARC reports and email delivery over 1–2 weeks. If no legitimate email is being quarantined, increase the percentage:
pct=25 → pct=50 → pct=75 → pct=100
Move to p=reject
Once you're at pct=100 on quarantine with no issues, move to reject:
v=DMARC1; p=reject; rua=mailto:[email protected]
Start again with pct=10 if you want to be extra cautious.
Quarantine vs Reject: Which to Use?
| p=quarantine | p=reject | |
|---|---|---|
| Failed emails go to | Spam/junk folder | Not delivered at all |
| Recovery from mistakes | Easier — recipients can check spam | Harder — email is bounced |
| Spoofing protection | Moderate — spoofed emails are hidden | Strong — spoofed emails are blocked |
| Mailing list impact | Lower — forwarded emails go to spam | Higher — forwarded emails may bounce |
When to Use Quarantine
- You're still identifying all legitimate senders
- Your organization sends to mailing lists (which can break DMARC)
- You want enforcement with a safety margin
When to Use Reject
- You've been at quarantine for several weeks with no issues
- You want maximum protection against spoofing
- All legitimate senders are fully authenticated
- You don't send to mailing lists that modify messages
Common Mistakes
Moving Too Fast
Jumping from p=none to p=reject without analyzing reports and fixing authentication gaps causes legitimate email to bounce. Always verify first.
Not Using the pct Tag
The pct tag lets you gradually enforce the policy. Going to pct=100 immediately is the same as skipping the gradual approach.
Forgetting Third-Party Senders
The most common cause of legitimate email failing DMARC after enforcement: a third-party service (CRM, support tool, marketing platform) that wasn't properly authenticated. Review your sender inventory before tightening the policy.
Not Monitoring After Changes
After every policy change, monitor DMARC reports and email delivery for at least a week. Catch problems early before they compound.