- Video
2026 State of DMARC Report: Financial Services
DMARC enforcement in financial services is strong but not yet sufficient. The industry is taking DMARC seriously, but many domains are still exposed.
Key Takeaways
- Financial services outperforms most industries in DMARC enforcement, but still trails highly protected segments like retail
- Almost 60% of financial services domains are at DMARC enforcement, a 17-point lead over the global average
- Enforcement increased 8.5% in 2025
- More than 18% of domains still lack a valid DMARC record, leaving gaps in coverage
The State of DMARC in 2026: Financial services domains still need to reach widespread enforcement
Protection isn’t optional in this high-stakes, high-trust industry.
Across our 2026 report, a single theme shows up in several industries: Adoption is rising, but enforcement is what actually stops attacks.
The financial services industry reflects that trend. Strong regulatory pressure, combined with the obvious risks around money movement and identity, has pushed this sector ahead of most others.
Compared to the broader ecosystem, fewer organizations are stuck in monitoring mode, and far fewer rely on “checkbox DMARC.”
But the gap hasn’t disappeared. Roughly 40% of financial services domains are still not at enforcement. That means spoofed emails can still reach inboxes — putting customers, accounts, and transactions at risk.
The takeaway: Progress is being made, but the industry hasn’t reached widespread coverage yet.
“The financial services industry is built on trust, and attackers go where the money is.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
“Financial Services is ahead of most sectors in DMARC enforcement, but there’s still ample room for improvement.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
“Adoption does not equal protection. Without enforcement, spoofed emails can still get through.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
“In financial services, the risks are real and significant: fraud, account takeover, and payment redirection.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
Protect Your Domain, Customers, and Reputation
Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.
Explore all Valimail
has to offer
Enforce DMARC to move from compliance to protection.
Attackers aren’t waiting. Neither should you.
Frequently asked questions
Why is DMARC critical for financial services?
The industry handles sensitive data and financial transactions, making it a constant target for phishing and fraud.
What does DMARC enforcement actually do?
DMARC enforcement blocks unauthenticated emails by sending them to quarantine or rejecting them entirely.
Is monitoring (p=none) enough?
What’s the next step for financial services organizations?
Move to enforcement. That’s what turns DMARC into real protection.