- Video
2026 State of DMARC Report: US Government
Public-facing emails from government orgs carry real authority, which makes consistent enforcement essential.
Key Takeaways
- About half of U.S. government domains are at DMARC enforcement, nearly 9 points above the global average
- Enforcement grew ~6 points in 2025 and less than 6% of domains sit at p=none, signaling movement beyond basic adoption
- Nearly 22% of U.S. government domains still lack valid DMARC, creating gaps in coverage
- A distributed ecosystem makes consistency harder — but no less important
The State of DMARC in 2026: Consistency Challenges Are Hampering Protection for U.S. Government Orgs
Thousands of government orgs share one thing in common: the public’s trust in their emails.
Government email isn’t centralized. It spans federal agencies, state offices, local municipalities, courts, and public authorities — all operating with different systems, resources, and timelines.
That structure explains a lot of what the data in our 2026 report shows. Progress is real — enforcement is now the largest category, and fewer U.S. government organizations are stuck at the earliest stages of DMARC adoption. Many have taken meaningful steps toward protecting their domains.
But consistency is the challenge. When a portion of domains remain in monitoring mode — or don’t have valid DMARC at all — it creates uneven protection across the ecosystem. And attackers don’t need uniform weakness. They just look for the gaps.
In this sector, those gaps carry weight. Messages tied to taxes, benefits, legal notices, or public safety are rarely questioned. People trust them, and act on them.
That’s what makes DMARC coverage just as important as progress for government domains. Protection needs to extend across the entire environment to match the level of trust these communications carry.
“Communications from government agencies are messages people trust, and that makes them a prime target.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
“Enforcement is now the largest category in this segment.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
“This is a distributed ecosystem, which makes consistent email security that much harder.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
“When it comes to DMARC, adoption does not equal protection.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
Protect Your Domain, Customers, and Reputation
Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.
Explore all Valimail
has to offer
Enforce DMARC to move from compliance to protection.
Attackers aren’t waiting. Neither should you.
Frequently asked questions
Why is DMARC important for government organizations?
Government emails often involve legal, financial, or public safety information, making them high-value targets for impersonation.
What does DMARC enforcement do?
It blocks unauthenticated emails by quarantining or rejecting them before they reach recipients.
Is adoption enough to stay protected?
Why is consistency in email security such a challenge for government agencies?
Government entities operate independently across federal, state, and local levels, often with different systems and resources.
What’s the next step for U.S. government agencies?
Move to enforcement and ensure coverage across all domains to better protect public trust at scale.