Dmarc policy none

Moderate effort

Strengthen your DMARC policy from p=none (monitor-only) to p=quarantine, then p=reject, to actively block email spoofing of your domain.

What it is

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS record that tells receiving mail servers what to do with emails that claim to come from your domain but fail authentication checks. A policy of p=none means "do nothing — just watch." It is a starting point for monitoring, not a finished protection. Until you move to p=quarantine or p=reject, anyone on the internet can send phishing or fraud emails that appear to come from your store's domain and mail servers will deliver them without question.

Why it matters

With p=none in place, criminals can impersonate your brand in phishing emails to your customers, suppliers, or staff — and those emails will land in inboxes rather than spam folders. A successful phishing campaign erodes customer trust, can trigger payment fraud chargebacks, and may expose you to legal liability. Google and Yahoo's 2024 bulk-sender requirements made a published DMARC policy a deliverability prerequisite, so staying at p=none also risks your legitimate marketing and transactional emails being filtered or rejected. Moving to p=reject is the only setting that fully closes the spoofing window.

How to fix it

Confirm your DMARC reporting address is set: your existing record should already contain rua=mailto:you@yourdomain.com so you receive aggregate reports. If not, add it before anything else.
Review at least two to four weeks of aggregate reports (XML files sent to your rua address, or parsed by a free tool like Google Postmaster Tools, dmarcian, or MXToolbox) to identify every source that sends mail on your domain's behalf — your ESP, transactional mail service, CRM, etc.
Ensure every legitimate sending source has valid SPF and DKIM alignment. Add any missing sources to your SPF record and confirm DKIM keys are published in DNS.
Change your DMARC record's p= value from none to quarantine (failed messages go to spam). Monitor reports for one to four weeks and verify no legitimate mail is failing.
Once reports confirm only spoofed/unknown senders are failing, change p=quarantine to p=reject (failed messages are outright blocked). This is the target end state.
Optionally tighten further by adding pct=100 (applies policy to 100% of failing mail, which is the default) and a forensic reporting address ruf= if your provider supports it.

; Step 1 – current state (monitor only — fix this)
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;

; Step 2 – intermediate enforcement (quarantine)
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.com;

; Step 3 – full enforcement (target state)
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@yourdomain.com;

Fix it on your platform

Pick your platform for the exact steps.

How to fix dmarc policy none on Shopify

Shopify does not manage DNS records — your domain's DNS is controlled at your domain registrar (e.g., GoDaddy, Namecheap, Cloudflare) or wherever you pointed your nameservers.
Log in to your DNS provider's control panel and locate the DNS management / DNS Records section for your store's domain.
Find the existing TXT record with the Name/Host _dmarc (i.e., _dmarc.yourdomain.com) and click Edit.
Change p=none to p=quarantine in the record value, save, and wait 24–48 hours for propagation. Monitor reports.
After confirming no legitimate mail fails, edit the record again and change p=quarantine to p=reject.
If you use Shopify Email or a third-party ESP connected to Shopify (Klaviyo, Omnisend, etc.), verify that service is included in your SPF record and has DKIM configured before tightening DMARC.

Full Shopify guide →Official Shopify docs ↗

How to fix dmarc policy none on WooCommerce

WooCommerce runs on WordPress hosted on your own server; DNS is managed at your registrar or hosting provider (e.g., cPanel, Cloudflare, SiteGround).
Log in to your DNS provider or cPanel > Zone Editor and find the TXT record named _dmarc.
Edit the record value: change p=none to p=quarantine, save, and monitor DMARC aggregate reports for two to four weeks.
Confirm your WordPress transactional mail plugin (e.g., WP Mail SMTP, FluentSMTP) sending via an SMTP relay (SendGrid, Mailgun, Postmark) has SPF and DKIM properly configured in DNS — check the plugin's settings for DKIM key instructions.
Once reports are clean, edit the _dmarc TXT record again and set p=reject.

Full WooCommerce guide →Official WooCommerce docs ↗

How to fix dmarc policy none on BigCommerce

BigCommerce does not control DNS. Navigate to your domain registrar or DNS host's control panel.
Locate the TXT record named _dmarc for your store domain.
Edit the value to change p=none to p=quarantine. Save and allow propagation (up to 48 hours).
BigCommerce sends transactional emails via its own infrastructure. In BigCommerce Admin > Store Setup > Email, confirm the From address domain matches your domain, and verify your SPF record includes BigCommerce's sending IPs (check their Help Center for current SPF include values).
Review aggregate reports, then edit the _dmarc record a final time to set p=reject.

Full BigCommerce guide →Official BigCommerce docs ↗

How to fix dmarc policy none on Wix

If your domain is registered through Wix: go to Wix Admin Dashboard > Domains > select your domain > Manage DNS Records.
If your domain is registered externally and pointed to Wix: log in to your external registrar and open DNS management.
Find the TXT record with the Host value _dmarc.
Click Edit and change p=none to p=quarantine in the Value field. Save the record.
Wix sends email via its own mailer; if you use Wix Stores transactional emails or a third-party email marketing app, confirm those services appear in your SPF record.
After a clean monitoring period, return to the same record and update to p=reject.

Full Wix guide →Official Wix docs ↗

How to fix dmarc policy none on Squarespace

If your domain is managed by Squarespace: go to Squarespace Admin > Settings > Domains > click your domain > DNS Settings.
If your domain is external: log in to your registrar's DNS panel.
Locate the TXT record with Host _dmarc and click the edit/pencil icon.
Update the value to change p=none to p=quarantine and save.
If you use Squarespace Email Campaigns or a connected ESP, verify DKIM is enabled in that platform's settings and that its sending domain is aligned.
After verifying reports show no legitimate failures, edit the record again and set p=reject.

Full Squarespace guide →Official Squarespace docs ↗

How to fix dmarc policy none on Webflow

Webflow does not host DNS unless you purchased your domain through Webflow. If your domain was purchased via Webflow, go to Webflow Dashboard > Project Settings > Hosting > Custom Domain > DNS Settings (or manage via the Webflow DNS panel).
If your domain is at an external registrar, log in there and go to DNS management.
Find the TXT record with Name/Host _dmarc and edit it.
Change p=none to p=quarantine, save, and propagate.
Webflow itself does not send email on your behalf; ensure any connected tools (Mailchimp, Klaviyo form integrations, etc.) are in your SPF and have DKIM set up.
After a clean monitoring window, return and change p=quarantine to p=reject.

Full Webflow guide →Official Webflow docs ↗

How to fix dmarc policy none on Adobe Commerce (Magento)

Adobe Commerce is self-hosted or cloud-hosted; DNS is controlled at your registrar, hosting provider, or cloud DNS service (e.g., AWS Route 53, Cloudflare).
Log in to your DNS management interface and locate the _dmarc TXT record for your domain.
Edit the record: change p=none to p=quarantine. Save and allow up to 48 hours for propagation.
Adobe Commerce sends transactional emails via your configured SMTP (set in Stores > Configuration > Advanced > System > Mail Sending Settings). Confirm the sending domain matches your From address domain, and that SPF and DKIM are configured at your SMTP relay provider (SendGrid, Mailgun, etc.).
Review DMARC aggregate reports to confirm alignment, then update the _dmarc record to p=reject.

Full Adobe Commerce (Magento) guide →Official Adobe Commerce (Magento) docs ↗

How to fix dmarc policy none on Magento Open Source

Magento Open Source is self-hosted; DNS is at your registrar or hosting control panel (cPanel, Plesk, Cloudflare, etc.).
Navigate to DNS management and find the _dmarc TXT record.
Edit the value to set p=quarantine, save, and monitor DMARC reports.
In the Magento admin go to Stores > Configuration > Advanced > System > Mail Sending Settings to confirm the SMTP relay and From domain. Ensure the relay's SPF include and DKIM selector are present in your DNS.
After reports confirm only spoofed mail fails, edit the record to p=reject.

Full Magento Open Source guide →Official Magento Open Source docs ↗

How to fix dmarc policy none on PrestaShop

PrestaShop is self-hosted; update the _dmarc TXT record at your registrar or hosting DNS panel.
Change p=none to p=quarantine and save the record.
Verify your PrestaShop transactional mail SMTP settings (Advanced Parameters > E-mail) and confirm the sending domain's SPF and DKIM are published.
After a monitoring period with clean reports, update the DMARC record to p=reject.

Full PrestaShop guide →Official PrestaShop docs ↗

Does your site have this issue?

Run a free SEOLZ audit to find dmarc policy none — and every other issue — across your whole site in minutes.

Scan my site free

Frequently asked questions

What is Dmarc policy none?

Why does dmarc policy none matter?

How do I fix dmarc policy none?