A DMARC record is not the same as DMARC protection. The DMARC adoption rate across the web has climbed past 30%, yet most of those records do nothing to stop spoofed mail — they only watch it. That single distinction is the whole story of the 2026 enforcement gap.
We measured it ourselves. In February 2026, DMARCguard scanned all 5,499,028 domains on the Tranco Top Sites list and parsed every published email-authentication record per RFC 7489. The result is our 2026 email authentication adoption study: a reproducible, ungated snapshot of where DMARC (RFC 7489) really stands. Adoption means a record exists; enforcement means a policy of p=quarantine or p=reject. Those two numbers are not close.
This post walks the five numbers that define the 2026 state of DMARC, explains why the gap persists, shows how our figures compare to every other published study, and lays out how to close the gap on your own domain.
How many domains use DMARC? The 2026 state of DMARC in five numbers
30.4% of domains have a DMARC record and 12.8% enforce it. That is the headline of the 2026 state of DMARC: adoption is rising, but most records sit at p=none, which monitors without protecting.
30.4% of 5.5 million domains have a DMARC record (1,670,975 domains)
We built our own scanner against the full Tranco 5.5M list — that is how we know the answer is 30.4% and not a vendor round-up. Here are the five numbers that define the 2026 DMARC adoption statistics, every figure measured first-party:
| Metric | Count | % of all domains |
|---|---|---|
| Has DMARC record | 1,670,975 | 30.4% |
Policy p=none | 967,474 | 17.6% |
Policy p=quarantine | 374,041 | 6.8% |
Policy p=reject | 327,959 | 6.0% |
| Has RUA reporting | 894,057 | 16.3% |
The gap is right there in the table: of the 30.4% with a record, 17.6 percentage points sit at p=none — visibility without protection. Put another way, 57.9% of every domain that publishes DMARC never moves past monitoring. RUA aggregate reporting (the rua= tag that pulls daily authentication data back from receivers) reaches just 16.3% of all domains, so most operators are flying without instruments.
Our method: we sampled the complete Tranco ranking — a manipulation-hardened research frame established by Le Pochat et al. (NDSS 2019) — and ran live DNS lookups, parsing each record against RFC 7489. Full methodology, limitations, and the downloadable CSV and JSON live on the research page.
Why 30.4% adoption only translates to 12.8% enforcement
The enforcement gap exists because the three giant mailbox providers — Google, Yahoo, and Microsoft — require only a p=none record, and the industry’s own deployment playbook tells operators to start and dwell at p=none. Publishing a record keeps mail flowing; nothing forces the next step.
The DMARC enforcement rate lagging adoption is a structural outcome, not negligence. The bulk-sender mandates that drove the adoption surge all accept a monitoring-only record. Google’s sender guidelines state plainly that “your DMARC enforcement policy can be set to none”; Yahoo requires a valid policy with “at least p=none”; Microsoft’s high-volume requirements ask for “At least p=none”. None require enforcement. A record checks the box; quarantine and reject do not.
Monitor-first is also by design. The DMARCbis draft explains operators should start at p=none “to ensure that nothing’s been missed in the initial SPF and DKIM deployments,” and the UK NCSC notes most organizations “report being able to move on from a DMARC policy of ‘none’ after about 6 to 8 weeks.” p=none is meant to be a transitional state.
What turns temporary into permanent is operational friction: third-party sender sprawl, SPF’s hard 10-lookup limit, forwarding and mailing-list breakage, and aggregate reports that arrive as unreadable raw XML. Valimail quantifies the stall from its own telemetry — about “6.4 million, or 11.2%” of the domains it tracks “are managing DMARC on their own but haven’t started enforcing it yet.” As Seth Blank, Valimail’s CTO and chair of the IETF DMARC working group, put it to Dark Reading in October 2024: “There’s still a large part of this market that has not moved, hasn’t taken any steps, even this bare minimum that we’re seeing here.”
Only 6.0% of domains use p=reject. Here is why that matters
Only 6.0% of scanned domains publish p=reject, the strictest DMARC policy (327,959 of 5,499,028). p=reject is the policy that actually instructs receiving servers to drop unauthenticated mail spoofing your exact domain.
6.0% of domains publish p=reject — 327,959 of 5,499,028
What enforcement buys is stated plainly by the agencies that mandate it. CISA’s Binding Operational Directive 18-01 says “setting a DMARC policy of ‘reject’ provides the strongest protection against spoofed email”, and the UK NCSC calls a reject policy “the best way to prevent spoofing of your email.”
The losses behind that one door are large, but worth stating soberly. The FBI’s 2025 Internet Crime Report recorded $3.05 billion in reported Business Email Compromise losses across 24,768 complaints, and phishing/spoofing was the single most-reported crime type at 191,561 complaints. Verizon’s 2025 Data Breach Investigations Report ranks phishing the #3 initial-access vector at 16%. Email is where attackers knock; enforcement closes one specific door.
If you do not know whether your domain sits at none, quarantine, or reject, check your domain’s DMARC policy — it takes one lookup, no signup.
Our 30.4% vs Valimail, Red Sift, EasyDMARC, Cloudflare: why the numbers diverge
Published DMARC adoption figures range from about 15% to 95% — not because anyone is wrong, but because they sample different populations, define “adoption” differently, and scan on different dates. DMARCguard’s 30.4% record / 12.8% enforcement across 5.5M Tranco domains sits where a broad, random-ish web crawl should: above whole-internet crawls, below well-resourced corporate cohorts.
This is the heart of the DMARC compliance rate confusion — “compliance,” “adoption,” and “enforcement” get used interchangeably when they measure three different things. The table below puts each study next to its own frame:
| Study | Population / frame | Sample | ”Adoption” | Enforcement | Date |
|---|---|---|---|---|---|
| DMARCguard (ours) | Tranco-ranked web population | 5,499,028 | 30.4% record | 12.8% (quarantine + reject) | Feb 2026 |
| Valimail | Vendor-tracked / customer telemetry | 7.2M+ tracked | 78% record | 42% (quarantine or reject) | Feb 2026 |
| Red Sift | Broad web crawl (apex domains) | 73.3M | 14.9% (≥ p=none) | 2.5% (p=reject) | Dec 2025 |
| EasyDMARC | Top 1.8M by traffic | 1.8M | 52.1% (valid record) | 411,935 domains (q + reject) | ~Mar 2026 |
| Cloudflare Radar | Messages processed (in-transit) | message flow | 88.99% pass rate | n/a — not a record measure | Q1 2026 |
External sources, in order: Valimail 2026 DMARC Report, Red Sift’s Guide to Global DMARC Adoption, EasyDMARC 2026 Adoption Report, and Cloudflare Radar Email Security.
Held against the two studies that share our broad-population frame — Red Sift (14.9% record across 73.3M domains; 2.5% at p=reject) and Fortra (3.9% p=reject across the top 10 million) — our 30.4% is plausibly higher because the Tranco list skews toward active, ranked sites rather than the full registered-domain long tail. That is the like-for-like comparison; we state it explicitly rather than claim a single “true” internet rate.
The corporate cohorts run far higher: EasyDMARC puts Fortune 500 adoption at 95% and Red Sift puts the S&P 500 around 81%. Well-resourced cohorts adopt at 2–3x the broad-population rate — that illustrates the gap; it is not a competing global figure. (Older cohort data is best flagged: Proofpoint’s Forbes Global 2000 cut at 73% record / 31% reject dates to roughly January 2024, now more than 24 months old.)
We defend the Tranco frame for one reason: it is reproducible and manipulation-hardened (Le Pochat et al., NDSS 2019, with 350+ research citations), where single commercial lists are unstable. And the dataset behind our 30.4% is ungated — downloadable as CSV and JSON — making it the largest reproducible broad-population sample you can audit on the SERP.
The data competitors miss: SPF, DKIM, and the near-zero advanced protocols
No competitor breaks out the advanced protocols alongside DMARC. Our scan does: SPF 56.0%, DKIM 22.7%, MTA-STS 0.3%, BIMI 0.4%, and DANE at 0.0% — 30 domains out of 5.5 million. 40.8% of domains have no email authentication at all.
40.8% of domains have no email authentication whatsoever (2,243,877 domains)
This is the largest data moat in the study — none of the contrasted reports surface the full protocol stack. Here is the layer beneath DMARC, with each protocol’s first-mention RFC. To understand the mechanics behind these records, see our explainer on how DMARC works.
| Protocol | Adoption | RFC |
|---|---|---|
| SPF (RFC 7208) | 56.0% (3,077,219) | 7208 |
| DKIM (RFC 6376) | 22.7% (1,249,750) | 6376 |
| MTA-STS (RFC 8461) | 0.3% (15,997) | 8461 |
| BIMI | 0.4% (20,518) | — |
| DANE (RFC 6698/7672) | 0.0% (30) | 6698 / 7672 |
SPF is the most-adopted protocol but also the most fragile at scale: 4.8% of SPF-enabled domains (148,655 of 3,077,219) exceed the RFC 7208 10-lookup limit, triggering PermError. That failure mode is exactly what stalls teams short of DMARC enforcement — our SPF supply-chain analysis traces which providers push domains over the line. At the other end, the advanced transport and brand protocols are effectively unused: MTA-STS, BIMI, and DANE never clear 0.4% of the population.
The sector cut sharpens the picture. Regulated populations adopt far above the web at large: .gov domains reach 76.4% DMARC adoption and .edu reach 84.0%, against the 30.4% internet baseline — the clearest evidence that mandates and institutional IT governance move the needle. (Both sector figures appear in the published research study.)
How to close the gap on your own domain
Closing the enforcement gap means moving from p=none to p=quarantine to p=reject — after you have confirmed every legitimate sender is SPF- or DKIM-aligned. The order is: monitor, align, then enforce.
- Publish
p=noneplus arua=tag and collect reports. Most domains are already here — this is the 17.6% parked at monitoring. - Use the aggregate reports to find every sending source, then align SPF or DKIM for each. This is the work that takes weeks, not minutes.
- Move to
p=quarantineand watch for legitimate-mail failures before tightening further. - Move to
p=rejectonce every aligned source is stable.
The regulatory pressure to finish this is rising for EU entities: NIS2 transposition is rolling out across the EU now, with Germany’s law in force since 6 December 2025 — see our breakdown of NIS2 email security requirements. (There is no pan-EU June 2026 deadline; the directive itself names no specific protocol.)
If your domain is stuck at monitoring, our move off p=none planner maps the exact next step from your current record.
Frequently Asked Questions
How many domains use DMARC?
30.4% of domains use DMARC — 1,670,975 of 5,499,028 Tranco-listed domains in DMARCguard’s February 2026 scan have a DMARC record. But only 12.8% (702,000 domains) reach an enforcement policy of p=quarantine or p=reject; the rest sit at p=none, which monitors without protecting.
What is the DMARC enforcement gap?
The DMARC enforcement gap is the difference between domains that publish a DMARC record and domains that actually enforce it. In DMARCguard’s 2026 scan, 30.4% adopted DMARC but only 12.8% enforced — a 17.6-point gap of domains parked at p=none, where DMARC reports but blocks nothing.
What percentage of domains use p=reject?
6.0% of scanned domains use p=reject — 327,959 of 5,499,028 (DMARCguard, February 2026). p=reject is the strictest DMARC policy and the only one that instructs receivers to drop unauthenticated mail spoofing your exact domain. Another 6.8% use p=quarantine.
Why do most domains stay at p=none?
Most domains stay at p=none because Google, Yahoo, and Microsoft bulk-sender rules require only a p=none record, and the standard deployment playbook says to start there. Reaching enforcement requires aligning every third-party sender first — operational work that stalls under-resourced teams.
Does DMARC stop all email spoofing?
No. DMARC at p=reject stops exact-domain impersonation — mail forging your real domain in the From header. It does not stop look-alike or “cousin” domains (e.g., examp1e.com), which an attacker legitimately controls and can authenticate. DMARC is necessary but not sufficient.
How does DMARCguard’s adoption figure compare to other studies?
Published DMARC adoption ranges from about 15% (Red Sift, 73.3M domains) to 95% (EasyDMARC, Fortune 500). The numbers diverge by sampling frame, definition, and date — not by error. DMARCguard’s 30.4% across 5.5M Tranco domains is a broad-population figure, between whole-internet crawls and corporate cohorts.
Where to go from here
The 2026 state of DMARC comes down to five numbers from our scan:
- 30.4% of 5.5 million domains publish a DMARC record — the headline DMARC adoption rate.
- 12.8% enforce with
p=quarantineorp=reject; only 6.0% reach the strictestp=reject. - 17.6 points of adoption sit idle at
p=none, and 40.8% of all domains have no email authentication at all.
The gap is a measurement of how the ecosystem built the on-ramp — mandates that accept a record, a playbook that starts at monitoring — not of negligence. And enforcement, once you reach it, protects your exact domain, not look-alikes. Know that scope, then close the gap deliberately.
For the full 2026 study, with downloadable data, read our complete email authentication adoption study.