Merula
Email authentication · June 2026

“DMARC policy not enabled” or “No DMARC record found” — what the warning means and what to do

What this warning means

A scanner, a deliverability tool, a customer’s security questionnaire, or a mailbox provider’s postmaster tools has flagged that your domain either has no DMARC record at all, or has one with no effective policy (p=none). The two cases sound different but have the same practical consequence: anyone on the internet can send email claiming to be your domain, and receiving servers have no instruction from you to stop it.

This warning increasingly appears in contexts that cost you money: supplier security assessments, cyber-insurance questionnaires, partner onboarding checks, and the sender requirements of Google, Yahoo and Microsoft — all of which now expect a published DMARC record as a minimum.

Why it matters — in concrete terms

Without DMARC (or stuck at p=none):

Adoption data shows you’re far from alone — roughly half of all domains worldwide now publish DMARC, but the majority of those remain at p=none, which provides reporting and nothing else. The gap between “has a record” and “is protected” is exactly where most SMBs sit.

How to fix it — the safe sequence

  1. Publish a monitoring record today. v=DMARC1; p=none; rua=mailto:reports@yourdomain.com at _dmarc.yourdomain.com. This is risk-free — it changes nothing about delivery — and immediately satisfies “has a DMARC record” checks while reports start flowing.
  2. Inventory your senders from the reports. Within a week or two you’ll see every server sending as your domain: your mail platform, your invoicing tool, your newsletter service — and any impersonators.
  3. Align every legitimate sender with SPF and, preferably, DKIM signed with your own domain.
  4. Enforce. Move to p=quarantine, verify nothing legitimate breaks, then p=reject. This is the step where the warning’s underlying risk — forgery in your name — is actually closed. EU CSIRT guidance describes this exact monitor-then-enforce path.
  5. Keep watching. New tools, key rotations and vendor changes will eventually break alignment again; the reports are how you find out, rather than hearing it from a customer first.

How long does it take?

Publishing the record: five minutes. Reaching enforcement: typically four to eight weeks for a small business, driven mostly by how many sending services need aligning. The cost of not starting is open-ended.

Merula checks your DMARC record on every sweep, explains each step from p=none to p=reject in plain language, and tells you the day anything changes. Merula is in development and launches after summer 2026.