“DMARC policy not enabled” or “No DMARC record found” — what the warning means and what to do
What this warning means
A scanner, a deliverability tool, a customer’s security
questionnaire, or a mailbox provider’s postmaster tools has flagged
that your domain either has no DMARC record at all,
or has one with no effective policy
(p=none). The two cases sound different but have the
same practical consequence: anyone on the internet can send
email claiming to be your domain, and receiving servers have no
instruction from you to stop it.
This warning increasingly appears in contexts that cost you money: supplier security assessments, cyber-insurance questionnaires, partner onboarding checks, and the sender requirements of Google, Yahoo and Microsoft — all of which now expect a published DMARC record as a minimum.
Why it matters — in concrete terms
Without DMARC (or stuck at p=none):
- Spoofed invoices and CEO-fraud mail in your name sail through. The EU cybersecurity agency ENISA documents real SMB cases where a forged or hijacked sender identity was used to defraud the business’s customers — in one case costing the victim company a client relationship worth €200,000–300,000 a year. Sender forgery needs no hacking; it exploits email’s default of trusting the From field.
- You are blind. DMARC’s reporting function
(
rua=) is the only mechanism by which Gmail, Microsoft and other receivers tell you who is sending as your domain. No record, no reports, no visibility. - Your deliverability is discounted. Major providers treat a missing DMARC record as a negative reputation signal for every message you send.
Adoption data shows you’re far from alone — roughly half of all
domains worldwide now publish DMARC, but the majority of those
remain at p=none, which provides reporting and nothing
else. The gap between “has a record” and “is protected” is exactly
where most SMBs sit.
How to fix it — the safe sequence
- Publish a monitoring record today.
v=DMARC1; p=none; rua=mailto:reports@yourdomain.comat_dmarc.yourdomain.com. This is risk-free — it changes nothing about delivery — and immediately satisfies “has a DMARC record” checks while reports start flowing. - Inventory your senders from the reports. Within a week or two you’ll see every server sending as your domain: your mail platform, your invoicing tool, your newsletter service — and any impersonators.
- Align every legitimate sender with SPF and, preferably, DKIM signed with your own domain.
- Enforce. Move to
p=quarantine, verify nothing legitimate breaks, thenp=reject. This is the step where the warning’s underlying risk — forgery in your name — is actually closed. EU CSIRT guidance describes this exact monitor-then-enforce path. - Keep watching. New tools, key rotations and vendor changes will eventually break alignment again; the reports are how you find out, rather than hearing it from a customer first.
How long does it take?
Publishing the record: five minutes. Reaching enforcement: typically four to eight weeks for a small business, driven mostly by how many sending services need aligning. The cost of not starting is open-ended.
Merula checks your DMARC record on every sweep, explains each
step from p=none to p=reject in plain
language, and tells you the day anything changes. Merula is in
development and launches after summer 2026.