Why isn’t My DMARC Quarantine/Reject Policy Enabled and How Can I Fix It?

Quick Takeaways

• p=none leaves your domain vulnerable to spoofing; move to p=quarantine or p=reject quickly.
• Analyze DMARC reports to confirm legitimate senders pass SPF/DKIM before tightening policy.
• Transition gradually: p=none → p=quarantine → p=reject.
• Update the DMARC TXT record in your DNS (or use a CNAME‑based managed service).
• Continuously monitor reports to catch misconfigurations early.
• Enforcing DMARC unlocks BIMI, boosts brand trust, and improves deliverability.
• Use Palisade’s tools to generate records, scan domains, and view real‑time reports.

Frequently Asked Questions (FAQ)

1. What does a p=none DMARC policy do? It tells receiving servers to only collect reports without taking any action on unauthenticated mail, so spoofed messages can still reach inboxes.
2. How can I check my current DMARC status? Run a scan with Palisade’s Email Security Score to see your policy and authentication results.
3. When should I switch from quarantine to reject? After a few weeks of monitoring that all legitimate sources consistently pass SPF and DKIM, you can move to reject for maximum protection.
4. Do I need to update SPF or DKIM records first? Yes—ensure SPF includes every sending IP and DKIM keys are correctly published for all authorized services.
5. Can I still use BIMI after enabling reject? Absolutely—BIMI requires a quarantine or reject policy; set it up via Palisade’s BIMI tool.

Step‑by‑Step Guide to Enable a Strict DMARC Policy

1. Review Your Current DMARC Data

Start by examining the aggregate reports you receive. Look for sources that fail SPF or DKIM alignment and note any “non‑compliant” senders. Confirm that all your marketing platforms, CRM tools, and transactional services are listed as authorized. If you spot unknown sources, investigate and either add them to SPF/DKIM or block them.

Pal​isade’s dashboard visualizes these trends, making it easy to spot anomalies at a glance.

2. Design Your Enforcement Path

Once you’re confident that legitimate traffic passes authentication, update the DMARC record to p=quarantine. This tells receivers to place suspicious mail in the spam folder instead of delivering it outright. Monitor the impact for 1‑2 weeks; if no legitimate mail is affected, change the policy to p=reject for full protection.

Communicate the upcoming change to internal teams—IT, support, and marketing—to prepare for any temporary delivery issues.

3. Update the DMARC Record in DNS

Log into your DNS provider (Cloudflare, GoDaddy, etc.) and edit the _dmarc TXT record. Use Palisade’s DMARC Record Generator to create a string that includes your desired policy, reporting addresses (rua/ruf), and alignment settings.

Example for a reject policy:

v=DMARC1; p=reject; rua=mailto:reports@yourdomain.com; ruf=mailto:forensics@yourdomain.com; adkim=s; aspf=s;

Save the record and allow up to 48 hours for DNS propagation. Verify the change with Palisade’s Domain Scanner.

Provider‑Specific Quick Tips

Cloudflare

1. Open the Cloudflare dashboard and select the DNS tab.
2. Add a new TXT record named _dmarc with the generated value.
3. Enable “Proxied” = OFF to ensure the record is visible to external validators.

GoDaddy

1. Navigate to Domain Manager → DNS.
2. Create a TXT record named _dmarc and paste the generated string.
3. Save and wait for propagation before rescanning.

Why Enforcing DMARC Matters

Switching from a monitoring‑only policy to enforcement stops attackers from impersonating your brand, which protects both your reputation and your customers. A strict policy also improves your sender reputation, leading to higher inbox placement rates for legitimate campaigns.

Additionally, a quarantine or reject policy is a prerequisite for implementing BIMI, allowing your logo to appear next to authenticated emails and reinforcing brand trust.

Next Steps

After updating the policy, keep an eye on daily reports. If you notice any legitimate source being quarantined, adjust its SPF/DKIM settings and re‑evaluate. Over time, you’ll see fewer spoofed messages and better overall email health.

Need hands‑on assistance? Contact Palisade for a guided migration from p=none to p=reject.