- Video
State of DMARC 2026: DMARC adoption is rising
Adoption is up, but fewer than half of the domains are actually protected. See where your organization stands in The State of DMARC in 2026.
Key Takeaways
- Only 42% of domains are using quarantine or reject settings, which are the only ones that actually stop spoofing
- 25% of domains have DMARC without enforcement — leaving them exposed despite checking the compliance box — and 22% still have no valid DMARC record whatsoever
- AI is accelerating phishing and spoofing attacks and making enforcement more critical than ever — Valimail blocked 2.53 billion suspicious emails in the past year alone
- Mandates from Google, Microsoft, Yahoo, and regulatory bodies mean that DMARC is no longer optional
The State of DMARC in 2026: A Gap Between Adoption and Protection
Staying compliant isn’t the same as staying protected.
DMARC adoption continues to grow across industries, but the story isn’t that simple.
Across the 12 industries we analyzed in our report, we found that organizations are increasingly publishing DMARC records. That’s progress. But a significant portion of these organizations still stop short of enforcement, which means they’re simply monitoring threats instead of blocking them.
The gap between adoption and enforcement is a risk for organizations, and an opportunity for phishers and spoofers. Staying compliant isn’t the same as staying protected.
As AI-driven attacks increase, mailbox providers and regulators like Google, Microsoft, and Yahoo have raised the bar. Bulk sender requirements and frameworks like PCI DSS 4.0 have pushed DMARC into the mainstream.
What this means for you: DMARC is no longer optional. Implementing a quarantine or reject policy is the crucial next step to safeguard your organization.
“Attackers have evolved. With AI, they can generate highly convincing phishing emails at scale, targeting your customers, employees, and partners.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
“DMARC helps defend against this by ensuring only legitimate, authenticated emails can use your domain. But there’s a catch: A DMARC policy of none doesn’t stop attacks — it only monitors them.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
“True protection starts at enforcement, meaning a quarantine or reject setting. That’s when spoofed emails get blocked instead of delivered.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
“Right now, too many organizations are stuck in the middle — technically compliant, but still vulnerable.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
Related 2026 DMARC report videos
Protect Your Domain, Customers, and Reputation
Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.
Explore all Valimail
has to offer
Enforce DMARC to move from compliance to protection.
Attackers aren’t waiting. Neither should you.
Frequently asked questions
What is DMARC enforcement?
Enforcement means setting your DMARC policy to quarantine or reject so unauthenticated emails don’t reach inboxes.
Why is DMARC more important now?
DMARC is more important now because AI-driven attacks are more sophisticated and scalable, increasing the risk of domain impersonation.
Will enforcing DMARC disrupt my email?
Not if done correctly. With the right approach, you can move to enforcement safely and confidently.
Is a DMARC record with p=none enough?
No. It helps you monitor activity, but it doesn’t stop spoofing or phishing attacks.