- Video
2026 State of DMARC Report: Travel and Hospitality
Booking confirmations and itinerary updates drive customer experience, making DMARC enforcement essential.
Key Takeaways
- Almost of half of travel and hospitality domains are at DMARC enforcement, about 7 points above the global average
- Enforcement grew steadily in 2025, rising ~7.6 points year over year
- More than 30% of domains aren’t enforcing DMARC, leaving room for spoofing
- Nearly 1 in 5 domains has no valid DMARC record
- High-value transactions and loyalty accounts make this sector a frequent target for attackers
The State of DMARC in 2026: Travel and Hospitality Is Only Halfway There
In travel and hospitality, a single spoofed email can turn into a real-world disruption.
Travel and hospitality runs on coordinated, time-sensitive communication. Confirmations, updates, and reminders often guide decisions in real time.
That creates a different kind of email exposure. When a message looks like a legitimate itinerary change or reservation update, people don’t pause to verify it. They respond, click, or enter their information. And that’s exactly what attackers are counting on.
Our 2026 report shows that travel and hospitality is making steady progress: More domains are reaching enforcement, and DMARC is becoming a more common baseline.
But progress and protection rely on consistency and full coverage. As long as a meaningful number of domains remain in monitoring mode or lack valid DMARC, attackers have room to operate.
And in this environment, even small gaps can lead to financial loss, account compromise, or damaged customer trust.
Moving from adoption to enforcement is what turns expected communication into secure communication for the travel and hospitality industry.
“These are high-trust, high-action emails that people rely on.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
“Enforcement in travel and hospitality is growing steadily, but isn’t yet the default.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
“If you’re not at quarantine or reject, spoofed messages can still get through.”
Al Iverson
Industry Research and Community Engagement Lead at Valimail
Protect Your Domain, Customers, and Reputation
Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.
Explore all Valimail
has to offer
Enforce DMARC to move from compliance to protection.
Attackers aren’t waiting. Neither should you.
Frequently asked questions
Why is travel and hospitality a target for phishing?
Travel emails involve bookings, payments, and loyalty accounts, making them valuable for attackers to impersonate.
What does DMARC enforcement do?
It blocks unauthenticated emails by quarantining or rejecting them before they reach customers.
Is monitoring (p=none) enough?
What should travel and hospitality organizations do next?
Move to DMARC enforcement to fully protect customer communications and brand trust.