Two years after Gmail and Yahoo introduced the February 2024 bulk sender requirements, DMARC adoption has become one of the most visible success stories in internet infrastructure. Valid DMARC records grew from 523,921 domains in 2023 to 937,931 in early 2026, a 79% increase driven almost entirely by mailbox provider enforcement pressure. On paper, the email authentication crisis appears to be resolving itself.
The data tells a different story. Of the 937,931 domains with valid DMARC records in 2026, only 411,935 actually enforce their policy through p=quarantine or p=reject. The remaining 525,996 domains sit at p=none, which is monitoring mode, offering zero protection against spoofing or phishing. Published DMARC records have outpaced enforced DMARC records by nearly two to one, and the gap is widening.
This analysis consolidates research from EasyDMARC (1.8M domains), DMARCguard (5.5M domains from the Tranco list), Red Sift (73M domains), and Fortune 500 tracking data to map what is actually happening with email authentication in 2026, where the enforcement gaps are concentrated, and what the data means for the next 24 months of email security.
- Valid DMARC record count has grown 79% since 2023, reaching 937,931 domains in early 2026, but only 411,935 of those records are actually enforced.
- At the most rigorous measurement (p=reject plus RUA aggregate reporting), only 159,691 domains globally meet the enforcement standard required for full protection.
- Fortune 500 DMARC adoption hit 475 of 500 companies with over 80% at enforcement, while Inc. 5000 fast-growth companies remain stuck predominantly at p=none.
- The broader internet tells a more sobering story: across 5.5 million Tranco-ranked domains, only 12.8% enforce DMARC with p=quarantine or p=reject.
- The gap is not a capability problem. It is an operational maturity problem concentrated in mid-market companies that deployed third-party sending infrastructure without coordinating authentication.
The Headline Numbers
Before analyzing what the data means, the underlying figures from the three major 2026 studies tell a consistent story across different sample sizes:
| Source | Sample Size | DMARC Adoption | At Enforcement (p=quarantine or p=reject) |
|---|---|---|---|
| DMARCguard (Tranco Top Sites) | 5,499,028 domains | 30.4% | 12.8% |
| EasyDMARC (Global analysis) | 1,800,000 domains | ~52% | ~23% |
| Red Sift (Global public companies) | 73,300,000 domains | 14.9% | 2.5% (p=reject only) |
| Fortune 500 (various trackers) | 500 companies | 93.8% to 95% | 62.7% to 80%+ |
The sample composition explains the divergence. EasyDMARC weights toward commercial and high-volume senders, DMARCguard captures the top-ranked public web, and Red Sift analyzes the long tail of corporate domains globally. The Fortune 500 acts as a ceiling benchmark showing what is possible when resources are applied. The common thread is that DMARC publication is becoming near-universal at the enterprise tier while enforcement remains elusive across the broader internet.
Understanding the Enforcement Gap
A DMARC record at p=none tells receiving servers to take no action when authentication fails. The record still generates aggregate reports (if RUA is configured), which gives the domain owner visibility into sending sources, but it provides no protection against spoofing. Any attacker can send mail that claims to be from the domain, and receiving servers will deliver it normally.
The purpose of p=none is to operate as a staging phase. A domain owner publishes p=none, analyzes the reports for 30 to 90 days to identify all legitimate sending sources, fixes any authentication gaps, and then moves to p=quarantine (send to spam) and eventually p=reject (reject outright). This progression is the entire point of the DMARC specification.
What the 2026 data reveals is that most organizations stop at step one. They publish the p=none record, generate the reports, and then either never analyze them or cannot resolve the alignment problems that the reports reveal. The result is a growing population of domains that have advertised DMARC compliance without actually delivering it.
Warning: A p=none policy provides zero protection against domain spoofing. It is a monitoring tool, not a security control. Organizations advertising DMARC compliance while remaining at p=none are misrepresenting their security posture. Reference our email authentication guide for the full progression path.
Why the Gap Exists: Operational Maturity, Not Technical Difficulty
The causes of the enforcement gap are primarily organizational, not technical. Three patterns recur in the data:
Third-Party Sending Without Authentication Coordination
The single largest source of alignment failures is email sent through third-party platforms (CRM, marketing automation, customer support, payroll, survey tools) that were configured without proper SPF and DKIM alignment to the sending domain. When the domain owner moves to p=quarantine, legitimate email from these platforms starts failing, and internal pressure forces rollback to p=none.
This explains why the Inc. 5000 lags Fortune 500 on enforcement. Fast-growth companies accumulate SaaS sending platforms faster than they can operationalize authentication. Fortune 500 companies typically have dedicated email security teams; Inc. 5000 companies rarely do.
Subdomain Sprawl
A DMARC record at the organizational domain (example.com) does not automatically apply to subdomains unless the sp= tag is configured correctly. Organizations with many subdomains (for transactional mail, marketing, customer support) often publish enforcement at the root while subdomains remain unprotected. Attackers use these unprotected subdomains for phishing.
Incomplete SPF Records
The 10 DNS lookup limit in SPF (RFC 7208) causes permanent errors when an organization adds too many sending sources. Once SPF breaks, DMARC alignment fails, and enforcement becomes impractical. This is one of the most common blockers to enforcement among mid-market companies using five or more third-party sending platforms. See our SPF checker to diagnose lookup issues.
The Industry Breakdown
Enforcement rates vary substantially by industry, and the variation maps to both regulatory pressure and sending complexity:
| Industry | DMARC Adoption | At Enforcement | Notes |
|---|---|---|---|
| Banking and Financial Services | ~88% | ~68% | Regulatory pressure from bank supervisory bodies |
| Insurance | ~52% | ~28% | Lagging behind banking despite similar risk profile |
| Healthcare | ~71% | ~38% | HIPAA focus but email authentication not explicitly required |
| Technology / SaaS | ~82% | ~55% | Strong adoption driven by customer trust expectations |
| Retail / eCommerce | ~64% | ~31% | Gap driven by multi-platform sending infrastructure |
| Government (federal) | ~91% | ~74% | Mandated by cybersecurity directives in most developed countries |
| Government (local / state) | ~45% | ~18% | Severe resource constraints and outdated infrastructure |
| Education | ~38% | ~12% | Distributed sending and decentralized IT governance |
| Legal services | ~52% | ~22% | Traditional industry with slower tech modernization |
The banking-insurance gap is instructive. Both sectors face similar phishing risk (financial spoofing is one of the top attack vectors), but banking regulators have moved faster on authentication mandates. Insurance companies face identical threats without identical regulatory pressure and have responded accordingly.
The Geographic Picture
DMARC enforcement also varies substantially by country. Red Sift 2026 data on tracked public companies shows the following enforcement leaders and laggards:
- Strongest enforcement: United States, India, Australia (all above 55% p=reject among public companies)
- Mid-tier enforcement: UK, Germany, France, Canada, Netherlands (40 to 55% range)
- Weakest enforcement: South Korea (10.1%), Japan (25% combined), Thailand (31.3%)
Japan and South Korea are notable outliers given their technical sophistication. Both countries rely heavily on proprietary email infrastructure and have historically been slow to adopt internet standards that require organizational coordination across multiple vendors. The gap has created real security exposure: spoofing attacks targeting Japanese and South Korean brands now rank among the fastest-growing phishing categories tracked by security vendors.
What Enforcement Actually Prevents
The enforcement gap is not academic. DMARC at p=reject stops direct domain spoofing, which is the foundation of the most damaging email attacks:
- Business Email Compromise (BEC): FBI IC3 2024 data shows $2.77 billion in reported BEC losses across 21,442 complaints. The average BEC incident costs roughly $130,000. Direct domain spoofing is the vector in a significant percentage of these attacks.
- Brand impersonation phishing: Attackers send credential-harvesting emails using spoofed brand domains. Without DMARC enforcement at the brand side, receiving servers have no cryptographic signal distinguishing legitimate brand mail from attacker-originated spoofs.
- Supply chain phishing: Attackers spoof vendor domains to target downstream customers with fake invoices or credential requests. A vendor at p=none is effectively letting attackers use their domain identity against their own customer base.
Google reported blocking 265 billion unauthenticated emails in 2024 alone. That volume of spoofing attempts targets the exact domains that have not progressed past p=none.
If your organization has been at p=none for more than 180 days, treat it as an incident, not a project. Set a hard deadline to reach p=quarantine with pct=25 within 30 days. The gradual pct ramp (25, 50, 75, 100) lets you catch legitimate sending sources that were missed during monitoring while limiting blast radius.
The DMARC to BIMI Pipeline
Enforcement gap aside, the senders who have moved to p=quarantine and p=reject are benefiting from a secondary advantage: BIMI eligibility. BIMI (Brand Indicators for Message Identification) requires DMARC at p=quarantine or p=reject as a prerequisite. Domains that have published BIMI records without meeting the enforcement prerequisite simply do not get their logos displayed by compliant receivers like Gmail, Yahoo, and Apple Mail.
This creates a quiet competitive advantage. A bank at p=reject with a valid BIMI record shows a verified brand logo in the Gmail inbox. A competitor bank at p=none with an identically published BIMI record shows nothing. In high-phishing industries, this visual difference translates measurably into customer trust and reduced successful phishing against customers.
The Path Forward: A Realistic Enforcement Roadmap
Based on the enforcement patterns observed in the data, organizations currently stuck at p=none should follow a structured progression rather than attempting a single large policy change:
- Week 1 to 2: Audit current sending sources. Pull 30 days of DMARC aggregate reports and enumerate every IP and sending platform generating traffic. Identify which sources pass SPF, which pass DKIM, and which fail alignment.
- Week 3 to 4: Fix alignment gaps. Work with each third-party platform to configure domain-aligned DKIM and add sending sources to SPF (respecting the 10-lookup limit by flattening if necessary).
- Week 5 to 6: Move to p=quarantine with pct=25. This applies quarantine to 25% of failing messages, letting you observe real-world impact with limited risk.
- Week 7 to 8: Ramp pct to 50, then 100. Continue monitoring reports for any unexpected legitimate sources that appear.
- Week 9 to 12: Move to p=reject with pct=25, then ramp to 100. This is the terminal enforcement state and unlocks BIMI eligibility.
- Ongoing: Protect subdomains with sp=reject. Explicit subdomain policy prevents attackers from targeting unprotected subdomains once the organizational domain is hardened.
The pct tag in DMARC is one of the most underused features in the specification. It applies the policy to only a percentage of failing messages, giving organizations a safe way to test enforcement without full commitment. Most enforcement rollouts should use pct ramping rather than instant cutover from p=none to p=reject at 100%.
What 2027 Looks Like Based on Current Trends
Extrapolating from the 2023 to 2026 adoption curves, several predictions become defensible:
- Valid DMARC record count will cross 1.25 million by early 2027, driven by continued mailbox provider pressure and the anticipated Microsoft consumer-domain enforcement phases.
- The p=none population will continue to grow in absolute terms but begin declining as a percentage of DMARC-publishing domains, as enforcement pressure forces progression.
- BIMI adoption will accelerate sharply among enforcement-compliant senders because it provides user-visible differentiation in a crowded inbox. Current BIMI adoption will roughly double by late 2026.
- The industry gap between enforcement leaders and laggards will widen, not narrow. Fast-moving industries (banking, tech) will consolidate at enforcement while slower industries (legal, local government, education) fall further behind.
- Mailbox provider enforcement will expand beyond bulk senders. Expect DMARC requirements to extend to all senders at Gmail and Yahoo by 2027, with Microsoft following in 2028.
Frequently Asked Questions
DMARC adoption varies significantly by sample. Across the top 5.5 million Tranco-ranked domains, 30.4% have valid DMARC records as of early 2026. The Fortune 500 is near-universal at 93.8% to 95% adoption, while the broader corporate long tail sits around 15%. The more meaningful number is enforcement: only 12.8% of the Tranco sample enforce DMARC at p=quarantine or p=reject.
A DMARC policy of p=none instructs receiving servers to take no action when authentication fails. It generates aggregate reports (if RUA is configured) showing authentication results, but it provides no protection against spoofing. Attackers can still send email claiming to be from your domain, and receiving servers will deliver it normally.
Most organizations should stay at p=none for 30 to 90 days, long enough to gather comprehensive aggregate reports covering all legitimate sending patterns. Beyond 90 days, staying at p=none provides diminishing returns and leaves the domain exposed to spoofing. Move to p=quarantine with pct=25 as the next step, then progress from there.
Three factors drive the Fortune 500 lead: dedicated email security teams with budget and headcount, longer lead time to identify and fix third-party sending sources, and direct relationships with enterprise email security vendors. Smaller companies typically have neither the resources nor the vendor access to drive enforcement through to completion, which is why Inc. 5000 and mid-market adoption rates lag significantly.
Yes, a valid DMARC record at any policy level satisfies the Gmail and Yahoo bulk sender requirement introduced in February 2024. However, p=none does not unlock BIMI (brand logo in inbox) eligibility, and it provides no protection against spoofing of your domain. Treat p=none as the starting line for authentication maturity, not the finish line.