The State of
DMARC in 2026
DMARC Growth and Industry Adoption
Table of Contents
Executive summary
Join us as we dive deep into the current state of DMARC adoption across various industries, analyze the effectiveness of different DMARC policies, and underscore why DMARC is a non-negotiable component of any comprehensive cybersecurity strategy in this disinformation age.
This report highlights the critical importance of foundational security practices, particularly Domain-based Message Authentication, Reporting, and Conformance (DMARC), in this challenging landscape. DMARC provides a simple, cost-effective, and highly reliable method to prevent bad actors from sending emails using your email domain. By authenticating the source of emails, DMARC layers on top of inbound protection and helps you address outbound email impersonation, thereby protecting employees, brands, and preventing disinformation campaigns from leveraging trusted domains.
Introduction
DMARC is an email authentication protocol designed to protect domains from unauthorized use in email messages, such as phishing and spoofing. It works by enhancing existing authentication protocols, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), aligning these protocols with the domain in the visible “From” header of email messages. It provides domain owners with reports and monitoring to offer insights into email authentication and usage, enabling better security and deliverability practices.
Why DMARC matters more than ever
In an era marked by AI-driven attacks and widespread disinformation, trust in digital communications is eroding. Malicious actors are increasingly exploiting email to impersonate brands, launch phishing campaigns, and spread false information—often using sophisticated methods made simpler by emerging AI technologies. This environment calls for foundational, secure defenses that can prevent the majority of these malicious attempts from seeing success.
In this report, we’ll help you understand DMARC and why it is so important in the fight against email phishing and spoofing. We’ll also share data on global and industry-specific adoption rates across a dozen different industries, showing how companies and organizations across a spectrum of focus areas are choosing to protect their domains against phishing and spoofing.
DMARC is critical in the
modern email landscape
DMARC is pivotal in securing email communications and protecting against growing threats like phishing, spoofing, and the deliberate spread of disinformation. Here’s why it’s indispensable:
1
Prevents domain spoofing
DMARC ensures that only authorized senders can use your domain to send emails. This protects your brand and customers from phishing attacks that impersonate your organization.
2
Strengthens email authentication
By aligning with SPF and DKIM, DMARC provides an additional layer of verification, ensuring that email headers are legitimate and match the sender’s domain, while allowing domain owners to stand up and say that all mail they send should be properly authenticated.
3
Provides visibility and monitoring
DMARC generates reports that give domain owners insights into who is sending emails on their behalf and how authentication are performing. This transparency helps organizations detect unauthorized use and improve email security.
4
Enhances trust, security, and deliverability
Implementing DMARC signals to email providers that your domain is secure, improving sender reputation, and increasing the likelihood that legitimate emails reach the inbox.
5
Part of a growing mandate
Microsoft, Yahoo, and Google require bulk email senders to implement DMARC. The PCI DSS 4.0 standard includes DMARC, noting it as a “good practice,” and multiple US government agencies, including the National Institute of Standards and Technology (NIST) and U.S. Department of Homeland Security (DHS), have either recommended or mandated that email senders should implement DMARC. Every day, more and more industry oversight groups, standards bodies, and gatekeeping entities are indicating that DMARC is a best practice and should be implemented.
By showcasing how DMARC meets the challenges posed by AI-enabled spoofing and disinformation—and highlighting its growing acceptance as a standard practice—this report aims to underscore why DMARC is an essential line of defense in 2026.
DMARC adoption does not mean DMARC protection
DMARC policies are another area of concern. In many industries, a significant number of companies have implemented a policy of p=none, likely in response to the Microsoft, Yahoo, and Google email sender requirements (Yahoo and Google announced in 2023, Microsoft in 2025), not realizing that while this “checks the box” for delivering mail to mailbox providers, it does nothing to actually protect email domains against malicious, false use.
So, while DMARC adoption rates might appear high, a significant percentage of tracked domains in each segment are still unprotected.
Why DMARC matters in 2026
Throughout 2025, bad actors leveled up. Artificial Intelligence is now part of the phishing and spoofing playbook, where malicious email senders can now use AI-driven automation and personalization to endlessly attempt different and personalized variations on crafting the perfect falsified message to attempt to trick their way past filters and confuse end recipients into handing out sensitive information. These advanced techniques to exploit weaknesses in email systems make DMARC more critical than ever for securing your email domains against misuse.
DMARC combats these threats by preventing the unauthorized use of a domain and ensuring that only legitimate emails are delivered to recipients. No matter how well-crafted malicious content could be, if the sender attempts to spoof your domain, and you reject that attempt with a strong DMARC policy, they’re not getting their attacks through to your inbox (or to others) using your domain.
Because of its importance as part of the security infrastructure, industry, government, and regulatory bodies worldwide are increasingly mandating DMARC compliance for industries handling sensitive data, such as finance and healthcare. Major hosts of email inboxes, like Microsoft, Apple, Google, and Yahoo, now require bulk email senders to implement DMARC, improving deliverability and reputation for compliant organizations. Failing to comply with email authentication and DMARC mandates now results in email messages being relegated to the spam folder, or even worse, being rejected outright.
DMARC is a non-negotiable for organizations combating email fraud, phishing, and spoofing. Its ability to adapt to growing threats, meet regulatory demands, and provide visibility into email ecosystems makes it indispensable. By leveraging DMARC’s robust authentication and reporting capabilities, businesses can safeguard their brand, build trust, and protect their domains.
DMARC’s multi-pronged protection
DMARC protects against email threats, both internal and external.
Internal threats can include unknown senders, misconfigured internal email systems, or even malicious insiders trying to impersonate other users within the organization. By enforcing DMARC policies and aligning SPF and DKIM authentication for outgoing messages, organizations can ensure that even internally generated emails meet strict identity verification requirements. If an attacker tries to spoof an internal sender or use a compromised system to send fraudulent messages, DMARC can flag or reject these emails before they cause damage.
Externally, DMARC is essential in defending against impersonation attacks such as phishing, business email compromise (BEC), and domain spoofing. Threat actors frequently forge the “From” address in emails to appear as though they’re coming from a trusted brand, partner, or vendor. With DMARC in place and set to a policy of “reject,” receiving mail servers can block these unauthenticated attempts outright. This helps prevent malicious messages from ever reaching the inbox.
DMARC landscape
The current DMARC landscape: DMARC adoption in 2025
In 2025, DMARC adoption saw a modest increase across our tracked industry segments. Updated sender requirements from Microsoft came into force in May 2025, and Google stepped up Gmail sender requirement enforcement in November 2025. While a few industries (most notably, Healthcare) showed a boost in DMARC implementation in mid-year, there was no large “hockey stick” style jump in adoption seen globally in response to these updated mailbox provider mandates.
Across our full view of these industry segments, about 42% of domains queried made it to DMARC enforcement (DMARC with a policy of “quarantine” or “reject”) by the end of 2025. Meaning that more than half of the domains we’re watching fail to protect their email domains against phishing and spoofing.
At the start of 2025, about 35% of domains tracked were protected. The seven percentage point growth to 42% (an increase of 20%) by the end of the year is nice to see, but it still leaves a significant area for growth.
Broad adoption data DMARC quick view (End of 2025):
DMARC AT ENFORCEMENT
DMARC WITH REPORTING, BUT NOT AT ENFORCEMENT
DMARC WITH POLICY OF “NONE” AND NO REPORTING
INVALID OR MISSING DMARC RECORD
DMARC adoption by industry in 2025
For this research, Valimail compiled a list of thousands of domain names, aligned with specific industries and sectors, covering the following:
Arts and Recreation
This segment focuses on companies related to performing arts, crafts, recreational facilities, and video/computer gaming. Companies listed include IGN, Blizzard, Michaels, the Washington Ballet, and more.
Arts and recreation DMARC quick view (End of 2025):
DMARC AT ENFORCEMENT
DMARC WITH REPORTING, BUT NOT AT ENFORCEMENT
DMARC WITH POLICY OF “NONE” AND NO REPORTING
INVALID OR MISSING DMARC RECORD
Are you protected?
Look up your domain using our Valimail Domain Checker to learn more about your current email authentication settings
Education and Training
Our Education and Training segment contains domain names of companies and organizations related to education, training, certification, and distance learning. Companies listed include Clever, Blackboard, Pearson, Membean, and more.
Education and Training entered 2025 slightly ahead on DMARC enforcement and continued to build from there. Domains at enforcement rose from 34.90% in January to 40.10% by December, a gain of 5.20 percentage points over the year. In relative terms, that is about 15% growth. Enforcement increased in fits and starts early in the year, then accelerated in the second half, with the sharpest gains occurring between September and November, possibly due to updated sender requirements and enhanced mailbox provider enforcement.
Invalid or missing DMARC fell from 27.99% to 24.40%, a 3.59-point decline. Reporting-only DMARC edged down slightly over the year, ending at 22.78%, while “p=none with no reporting” also declined to 12.71%. Put together, overall DMARC presence increased from about 72.0% at the start of the year to 75.6% by December. Education and Training now has four in ten domains enforcing DMARC, which is meaningfully ahead of many sectors, but, ultimately, still less than half of the domains here are fully protected against phishing and spoofing.
Education and training DMARC quick view (End of 2025):
DMARC AT ENFORCEMENT
DMARC WITH REPORTING, BUT NOT AT ENFORCEMENT
DMARC WITH POLICY OF “NONE” AND NO REPORTING
INVALID OR MISSING DMARC RECORD
Are you protected?
Look up your domain using our Valimail Domain Checker to learn more about your current email authentication settings
Financial Services
This segment focuses on companies that provide banking services, investment services, insurance services, financial planning, fintech, and related entities. Companies listed here include JPMorgan Chase, Visa, Schwab, Moody's, Navient, and more.
Financial Services outperforms when compared to our broader industry data. By the end of 2025, 59.18% of Financial Services domains were enforcing DMARC, compared to 42.06% across all industries. That represents a gap of more than 17 percentage points, and it is evident elsewhere in the distribution as well. Financial Services has fewer domains stuck in monitoring, fewer stalled at “p=none,” and fewer with no usable DMARC at all.
Financial Services grew DMARC enforcement from 50.59% to 59.18% in 2025, an 8.59-point increase. At the end of the year, just 18.35% of domains remained in the “no or invalid DMARC” category, and only 3.65% stuck at “p=none” with no reporting.
Financial services DMARC quick view (End of 2025):
DMARC AT ENFORCEMENT
DMARC WITH REPORTING, BUT NOT AT ENFORCEMENT
DMARC WITH POLICY OF “NONE” AND NO REPORTING
INVALID OR MISSING DMARC RECORD
Are you protected?
Look up your domain using our Valimail Domain Checker to learn more about your current email authentication settings
Healthcare
Our healthcare sector includes top companies focused on life sciences, pharmaceuticals, medical devices, health insurance, and care providers. Companies listed include Lilly, AbbVie, Medtronic, HCA Healthcare, ResMed, and more.
Healthcare finished 2025 well ahead of the broader market on DMARC enforcement. Domains at enforcement climbed from 47.78% in January to 57.42% by December, a gain of 9.64 percentage points. That puts Healthcare more than 15 points above the cross-industry enforcement baseline of 42.06% at year’s end. Enforcement increased steadily across the year, with the strongest acceleration beginning in mid-summer and continuing through the fall.
Domains with no or invalid DMARC fell from 19.08% to 15.22%, a nearly four-point reduction. Domains with a policy of “p=none” and no reporting remained consistently low and edged down slightly, ending the year at 4.24%. Reporting-only DMARC declined from 28.71% to 23.12%, which aligns closely with the rise in enforcement and suggests active policy advancement. By the end of 2025, more than three-quarters of Healthcare domains had a valid DMARC record, and the majority of those were enforcing it.
Healthcare DMARC quick view (End of 2025):
DMARC AT ENFORCEMENT
DMARC WITH REPORTING, BUT NOT AT ENFORCEMENT
DMARC WITH POLICY OF “NONE” AND NO REPORTING
INVALID OR MISSING DMARC RECORD
Are you protected?
Look up your domain using our Valimail Domain Checker to learn more about your current email authentication settings
Higher Education
Our focus area for higher education consists of U.S.-based four-year postsecondary educational institutions. This list includes MIT, Harvard, Yale, Case Western Reserve University, and more.
Higher Education made measurable progress on DMARC in 2025, but it lags behind the broader market on enforcement. Domains at DMARC enforcement increased from 27.38% in January to 33.71% by year’s end, a gain of 6.33 percentage points. That is modestly positive, but it leaves Higher Education more than eight points below the cross-industry enforcement baseline of 42.06%. Where the broad data shows enforcement becoming the dominant state, Higher Education is still split, with enforcement and reporting-only DMARC ending the year at nearly equal levels.
Reporting-only DMARC declined modestly over the year, from 38.00% to 34.16%, with much of that reduction attributed to enforcement. That is the right direction, but the conversion rate is gradual. Domains with a policy of “p=none” and no reporting remained essentially flat, ending at 10.33%, almost identical to the broad market’s 10.76%. Domains with no or invalid DMARC fell from 23.77% to 21.80%.
By the end of 2025, roughly 78% of Higher Education domains had some form of DMARC, but fewer than half of those were enforcing it. The data shows forward motion, but also a sector still working through the transition from awareness and monitoring to consistent, policy-driven enforcement.
Higher education DMARC quick view (End of 2025):
DMARC AT ENFORCEMENT
DMARC WITH REPORTING, BUT NOT AT ENFORCEMENT
DMARC WITH POLICY OF “NONE” AND NO REPORTING
INVALID OR MISSING DMARC RECORD
Are you protected?
Look up your domain using our Valimail Domain Checker to learn more about your current email authentication settings
Information Technology
Our IT segment consists primarily of domains of technology, systems, cybersecurity, and electronic infrastructure-related companies. Included are companies and brands like WordPress, Dropbox, Slack, Dell, DocuSign, and others.
Reporting-only DMARC remained low and stable, ending the year at 16.06%, well below the broad-market average of 25.23%. Domains with a policy of “p=none” and no reporting were also consistently low at 5.08%, less than half the cross-industry rate. These are signs of technical awareness and early adoption maturity. At the same time, domains with no or invalid DMARC declined only gradually, from 30.08% to 25.81%, and still sit nearly four points higher than the broad market’s 21.95%.
A large share of IT domains are enforcing DMARC and have been for some time, while a stubborn tail of domains remains completely uncovered. Over 2025, gains came more from incremental improvements among already-engaged organizations than from pulling new domains into the DMARC ecosystem. By the end of 2025, roughly three-quarters of IT domains had a valid DMARC record.
Information technology DMARC quick view (End of 2025):
DMARC AT ENFORCEMENT
DMARC WITH REPORTING, BUT NOT AT ENFORCEMENT
DMARC WITH POLICY OF “NONE” AND NO REPORTING
INVALID OR MISSING DMARC RECORD
Are you protected?
Look up your domain using our Valimail Domain Checker to learn more about your current email authentication settings
Manufacturing
This segment focuses on companies engaged in the mechanical, physical, or chemical transformation of materials, substances, or components into new products. Companies listed include Ford, GM, Whirlpool, Tyson Foods, and more.
Manufacturing and DMARC success go hand-in-hand. This segment ended 2025 far ahead of the broader market on DMARC enforcement and continued to extend that lead throughout the year. Domains at enforcement rose from 57.55% in January to 67.61% by December, a gain of just over 10 percentage points. That puts Manufacturing more than 25 points above the cross-industry enforcement baseline of 42.06%. Enforcement surpassed two-thirds of all tracked domains by year’s end, a level significantly ahead of some other industries that we’ve tracked.
The data reveals a sector that is already deep into the enforcement phase. Reporting-only DMARC declined steadily from 24.35% to 19.92%, tracking closely with the rise in enforcement. Domains with a policy of “p=none” and no reporting are barely even found here, ending the year at just 1.81%, compared to 10.76% across the broader market. Domains with no or invalid DMARC fell from 15.49% to 10.66%, roughly half the cross-industry rate of 21.95%. By December, nearly nine in ten Manufacturing domains had a valid DMARC record, and the overwhelming majority of those were enforcing it.
In contrast to the broader ecosystem, where adoption is still uneven, manufacturing in 2025 looks like a sector that has largely normalized DMARC enforcement as a baseline expectation.
Manufacturing DMARC quick view (End of 2025):
DMARC AT ENFORCEMENT
DMARC WITH REPORTING, BUT NOT AT ENFORCEMENT
DMARC WITH POLICY OF “NONE” AND NO REPORTING
INVALID OR MISSING DMARC RECORD
Are you protected?
Look up your domain using our Valimail Domain Checker to learn more about your current email authentication settings
Marketing, Consulting, and Services
This includes accounting, advertising, architecture, auditing, consulting, and marketing. Companies listed include Mailchimp, Deloitte, Xero, FreshBooks, and more.
Reporting-only DMARC declined from 24.36% to 21.78%, remaining below the broad-market average of 25.23%. Domains with a policy of “p=none” and no reporting are significantly found in this sector, ending the year at 13.73%, well above the cross-industry rate of 10.76%. Domains with no or invalid DMARC fell from 28.65% to 24.20%, but still exceeded the broad-market baseline of 21.95%.
The net result is a sector that is moving forward, but unevenly, and it lags behind others. By the end of 2025, roughly three-quarters of domains in Marketing, Consulting, and Services had some form of DMARC, but enforcement had not yet become the default.
Marketing, consulting, and services DMARC quick view (End of 2025):
DMARC AT ENFORCEMENT
DMARC WITH REPORTING, BUT NOT AT ENFORCEMENT
DMARC WITH POLICY OF “NONE” AND NO REPORTING
INVALID OR MISSING DMARC RECORD
Are you protected?
Look up your domain using our Valimail Domain Checker to learn more about your current email authentication settings
Online Retail
This includes stores selling online as well as "bricks and clicks" retailers selling online, as well as other retailers and marketplaces that sell direct-to-consumer. Companies and brands like IKEA, Kohl’s, eBay, Sally Beauty, Cabela, and more.
Online Retail finished 2025 dramatically ahead of the broader market on DMARC enforcement and showed sustained momentum throughout the year. Domains at enforcement increased from 61.28% in January to 72.73% by December, a gain of 11.45 percentage points. That puts Online Retail more than 30 points above the cross-industry enforcement baseline of 42.06%. Enforcement was already the dominant posture at the start of the year and continued to strengthen, with particularly strong gains in the second half. In short, DMARC seems to be well-known and often implemented among online retailers.
Reporting-only DMARC fell from 24.58% to 16.16%, well below the broad-market average of 25.23%, as domains moved decisively into enforcement. Domains with a policy of “p=none” and no reporting were already low in number and declined further, ending at just 2.36% compared to 10.76% across all industries. Domains with no or invalid DMARC dropped from 10.77% to 8.75%, less than half the broad-market rate of 21.95%. By year’s end, more than nine in ten Online Retail domains had a valid DMARC record, and nearly three-quarters were enforcing it.
Compared to the broader ecosystem, where DMARC adoption is still uneven, and enforcement remains optional, Online Retail in 2025 looks like a sector where DMARC enforcement has become table stakes rather than just an aspirational best practice.
Online retail DMARC quick view (End of 2025):
DMARC AT ENFORCEMENT
DMARC WITH REPORTING, BUT NOT AT ENFORCEMENT
DMARC WITH POLICY OF “NONE” AND NO REPORTING
INVALID OR MISSING DMARC RECORD
Are you protected?
Look up your domain using our Valimail Domain Checker to learn more about your current email authentication settings
Transportation and Logistics
This includes shipping companies, airlines, transit systems, and other companies focused on moving parcels and/or people. Tracked entities include Uber, Expedia, DHL, JetBlue, FedEx, and others.
Transportation and Logistics showed steady, linear progress on DMARC throughout 2025 and finished the year ahead of the broader market on enforcement. Domains at enforcement increased from 42.08% in January to 49.18% by December, a gain of 7.10 percentage points. That places the sector just over seven points above the cross-industry enforcement baseline of 42.06%. Growth was consistent month to month, without sharp spikes.
Reporting-only DMARC declined from 24.18% to 22.02%, ending below the broad-market average of 25.23% as domains continued to move toward enforcement. Domains with a policy of “p=none” and no reporting remained relatively stable and edged up slightly over the year, finishing at 8.74%, still below the cross-industry rate of 10.76%. Domains with no or invalid DMARC fell from 25.72% to 20.06%, a meaningful reduction that brought the sector slightly better than the broad-market baseline of 21.95%.
By the end of 2025, just under 80% of the Transportation and Logistics domains had some form of DMARC, and enforcement had become the largest single category. That said, progress remains incremental. Roughly one in five domains still lacks a valid DMARC record, and a meaningful share remains in monitoring-only states.
Transportation and logistics DMARC quick view (End of 2025):
DMARC AT ENFORCEMENT
DMARC WITH REPORTING, BUT NOT AT ENFORCEMENT
DMARC WITH POLICY OF “NONE” AND NO REPORTING
INVALID OR MISSING DMARC RECORD
Are you protected?
Look up your domain using our Valimail Domain Checker to learn more about your current email authentication settings
Travel and Hospitality
Our travel and hospitality segment includes top companies for lodging and accommodations, restaurants, and travel. This list includes companies and brands like Marriott, Taco Bell, Spirit Airlines, Carnival Cruise Lines, MGM Resorts, and more.
Travel and Hospitality made steady, incremental progress on DMARC in 2025 and finished the year modestly ahead of the broader market on enforcement. Domains at enforcement rose from 41.46% in January to 49.08% by December, a gain of 7.62 percentage points. That puts the sector about seven points above the cross-industry enforcement baseline of 42.06%. Enforcement increased gradually throughout the year.
Reporting-only DMARC declined from 25.35% to 21.21%, ending below the broad-market average of 25.23% as domains moved into enforcement. Domains with a policy of “p=none and no reporting edged down from 10.94% to 9.76%, roughly in line with the broader ecosystem’s 10.76%. Domains with no or invalid DMARC fell from 22.25% to 19.96%, slightly better than the broad-market rate of 21.95%, but still representing roughly one in five domains.
By the end of 2025, about 80% of Travel and Hospitality domains had some form of DMARC, and enforcement had become the single largest category. However, the pace of conversion is slow, perhaps suggesting ongoing friction.
Travel and hospitality DMARC quick view (End of 2025):
DMARC AT ENFORCEMENT
DMARC WITH REPORTING, BUT NOT AT ENFORCEMENT
DMARC WITH POLICY OF “NONE” AND NO REPORTING
INVALID OR MISSING DMARC RECORD
Are you protected?
Look up your domain using our Valimail Domain Checker to learn more about your current email authentication settings
U.S. Government
This segment focuses on domains utilized by various levels of government and government-related entities in the U.S., from local to federal. Tracked entities include the United States Postal Service, the State of Illinois, the Ohio Lottery, the Superior Court of California/Los Angeles, and others.
This U.S.-focused government segment showed steady, incremental progress on DMARC throughout 2025 and finished the year a bit ahead of the broader market on enforcement. Domains at DMARC enforcement increased from 44.70% in January to 50.65% by December, a gain of 5.95 percentage points. That places this segment nearly nine points above the cross-industry enforcement baseline of 42.06%. Growth was gradual, with enforcement advancing in small steps across the year.
Reporting-only DMARC declined from 25.06% to 21.45%, ending well below the cross-industry average of 25.23%, which suggests ongoing conversion from monitoring into enforcement. Domains with a policy of “p=none” and no reporting remained relatively low in this data, finishing at 5.94%, roughly half the broad-market rate of 10.76%. Domains with no or invalid DMARC decreased from 24.55% to 21.96%, essentially matching the cross-industry baseline of 21.95% by year-end.
This is not a purely federal snapshot, but a mix of federal, state, local, and quasi-governmental entities, including organizations like state agencies, courts, and public authorities. By the end of 2025, enforcement had become the single largest DMARC posture across these entities, but roughly one in five domains still lacked a valid DMARC record.
U.S. Government DMARC quick view (End of 2025):
DMARC AT ENFORCEMENT
DMARC WITH REPORTING, BUT NOT AT ENFORCEMENT
DMARC WITH POLICY OF “NONE” AND NO REPORTING
INVALID OR MISSING DMARC RECORD
Are you protected?
Look up your domain using our Valimail Domain Checker to learn more about your current email authentication settings
Challenges to DMARC adoption
DMARC is critical for combating email spoofing and phishing attacks. However, implementing it can feel daunting for many organizations. Let’s break down the key challenges to DMARC adoption and how to tackle them.
Tackling technical complexity
The technical side of DMARC implementation can seem very scary. To get DMARC up and running, you need to configure SPF and DKIM. Both require editing DNS records—a process that feels like a tightrope. One small error and your legitimate emails might bounce or disappear.
Things get more complicated if your organization uses third-party email services—think marketing platforms, CRMs, or ticketing systems. You need full awareness of all sending services that are meant to be allowed to send email messages on your organization’s behalf.
Failure to identify and properly configure email authentication for one or more email services while implementing DMARC can impede proper email delivery.
And how permissive are those authentication settings? Things like SPF records with multiple “includes” containing wide swaths of IP addresses can allow for an exceedingly broad authorization to send mail on your behalf can lead you to wonder: Are you really appropriately protected?
Fighting the awareness gap
A big part of the problem is that many organizations don’t know what DMARC is or why it matters. There’s a common belief that other security measures, like firewalls or antivirus software, are enough to stop phishing. Unfortunately, that’s just not true. Email is one of the weakest links in most organizations’ security. Phishing and spoofing attacks are no joke, and DMARC is your best bet to keep your domain safe.
These challenges are real, but they’re manageable with the right approach. Take it one step at a time: understand the technical requirements, educate your team, and work with your third-party senders to ensure everything is in sync. By investing in DMARC, you’re investing in the security and reputation of your organization’s email communications.
BIMI: The DMARC inbox boost
Once you’ve achieved full DMARC protection for your email domain, it’s time to take it to the next level, enhancing your brand’s email presence with BIMI (Brand Indicators for Message Identification). BIMI allows your brand or company logo to appear alongside authenticated emails in supported inboxes, providing visual trust that helps recipients quickly recognize and trust your messages.
BIMI is a powerful security and marketing tool that reinforces your brand’s legitimacy while showing that your domain is protected against spoofing and phishing attacks.
BIMI logos are supported by Gmail, Yahoo Mail, Apple’s iCloud, and other mailbox providers. Want to learn more about BIMI? Reach out to us to request a demo of Valimail Amplify today.
Conclusion
Use this data to help inform the process as you move to implement DMARC fully and properly. Many companies have implemented DMARC to date, knowing that no matter what industry you’re in, email security isn’t optional; it’s essential. Phishing and email spoofing aren’t just problems for big tech companies or financial institutions; they affect every organization that uses email. Attackers are constantly looking for weak spots, and if your domain isn’t protected with DMARC, you’re giving them an open invitation to impersonate your brand and trick your customers, partners, and employees.
Implementing DMARC, along with SPF and DKIM, helps ensure that only authorized senders can use your domain, stopping impersonation attacks before they reach inboxes. Cybersecurity isn’t just about firewalls and endpoint protection—email authentication is a critical layer of defense. If you haven’t deployed DMARC yet, now is the time.
Protect your domain, your reputation, and the people who rely on your email.
Notes on methodology
Rankings for determining the top companies or organizations in various industries are based on a multitude of factors, including web traffic, ARR (annual rate of revenue), market capitalization, number of customers, and other data. Not all industries can be ranked in the same fashion.
DMARC policies were queried at each domain’s top (“org”) level.
When we say a domain is “at enforcement,” we are indicating that a domain’s DMARC policy is quarantine or reject, and that it does not have a subdomain policy of none.
DMARC data for this report was most recently queried in January 2026.
About the author
Al Iverson has been helping email senders and IT administrators properly implement email authentication, DMARC, and other best practices for a very long time. As a long-time deliverability expert with deep experience related to email technology and email marketing best practices, Al has published the email deliverability-focused blog Spam Resource since 2001 and managed all things deliverability for a well-known Marketing Cloud platform for fifteen years.
As Valimail’s Industry Research and Community Engagement Lead, he monitors email authentication trends, analyzes evolving email deliverability and protection requirements, advocates for best practices, and connects and builds relationships and communities online and in person to educate businesses, IT professionals, and marketers on why email authentication and domain protection are so important.
In the preparation of this report, Al was gratefully assisted by Trevor Boardman, Alyssa Harmon, Katie Knowlton, Warren Duff, Wendy Bloechle, Mary Lawler, and the entire Valimail marketing team.