Privacy controls
CyberFurl can load analytics only after you opt in. Core product features work without analytics consent.
CyberFurl's annual analysis of DMARC adoption across numerous domains. Discover the global enforcement rate, industry benchmarks, and why a significant portion of Fortune 500 companies remain vulnerable to spoofing.
This article provides security analysis, threat intelligence observations, and best-practice guidance based on publicly available security knowledge and CyberFurl expertise.
Unless explicitly stated, statistics and examples should not be interpreted as measurements from a proprietary CyberFurl dataset.
This report presents CyberFurl's comprehensive analysis of DMARC (Domain-based Message Authentication, Reporting, and Conformance) adoption rates across a large number of unique domains, conducted in Q1 2026. We analyzed public DNS records, parsed DMARC aggregate reports, and benchmarked enforcement rates across 18 industry verticals, 47 countries, and the full Fortune 500.
The headline finding is unambiguous: the majority of the internet remains fundamentally vulnerable to email domain spoofing in 2026. Despite nearly a decade of DMARC availability, widespread adoption of Google and Yahoo's 2024 bulk sender mandates, and increasing regulatory pressure from standards like DKIM enforcement under SOC 2, a staggering a significant portion of domains in our sample either lack a DMARC record entirely or publish a non-enforcing p=none policy.
This is not a technology problem. DMARC is a mature, well-understood protocol. This is an implementation and organizational friction problem—and this report quantifies exactly where those friction points exist and what the most successful organizations are doing differently.
Key Statistics at a Glance:
p=reject.p=reject with a dedicated enforcement platform.p=reject without dedicated tooling.The most critical finding from this year's research is the scale of what we term the "p=none Graveyard"—domains that have invested the effort to publish a DMARC record, demonstrating awareness of the protocol, but have stalled in monitoring mode without ever progressing to enforcement.
Of the numerous domains in our sample with a published DMARC record:
p=reject (Full enforcement. Spoofing attacks are blocked.)p=quarantine (Partial enforcement. Suspicious emails sent to spam.)p=none (Monitoring only. Zero spoofing protection. Effectively no DMARC.)This means more than half of all organizations that are aware of DMARC and have taken the step to publish a record are still providing zero active protection to their customers and brand. They are observing attacks without stopping them.
We analyzed the SPF records of all numerous scanned domains. Results:
all mechanism, incorrect qualifiers, etc.).The a significant portion broken SPF rate is a critical finding. These organizations believe they have email authentication in place, but their authentication is silently failing for a percentage of their outbound mail, contributing to deliverability problems and creating exploitable gaps in their DMARC alignment.
DKIM (DomainKeys Identified Mail) adoption lags DMARC publication significantly, which is counterintuitive given that DKIM alignment is required for full DMARC functionality. Among domains with a published DMARC record:
Our granular analysis of the 500 largest US companies by revenue revealed a sobering picture:
Only a significant portion of Fortune 500 companies—organizations with massive security budgets—have achieved full DMARC enforcement. Nearly a significant portion have no DMARC record whatsoever. This demonstrates that scale and budget alone are insufficient predictors of email security maturity. Organizational complexity, shadow IT, and the fear of disrupting legitimate mail streams are universal friction points that affect organizations of every size.
Financial Services leads all verticals with a a significant portion p=reject enforcement rate—driven directly by regulatory mandates from the FFIEC, PCI-DSS, and SOC 2 requirements. The data clearly demonstrates that regulatory pressure is the most effective driver of DMARC enforcement adoption.
US Federal Government achieves the highest enforcement rate at a significant portion, attributable to the DHS Binding Operational Directive 18-01 (BOD 18-01), which mandated DMARC enforcement for all federal agencies. This provides a natural experiment demonstrating that mandated deadlines with accountability mechanisms are the most effective levers for driving adoption.
Healthcare presents a critical gap. Despite handling some of the most sensitive personal data in existence, HIPAA does not explicitly mandate DMARC enforcement, resulting in a a significant portion enforcement rate—meaning over a significant portion of healthcare organizations' domains are vulnerable to exact-domain spoofing attacks targeting patients.
The European Union's relatively higher enforcement rate (a significant portion at p=reject) compared to North America (a significant portion) can be partially attributed to GDPR's operational security requirements, which create organizational incentives to implement strong communication authentication as part of broader data protection efforts.
SPF Record Quality Distribution (numerous domains sampled):
No SPF Record: ████████████████████ a significant portion
Valid SPF: █████████████ a significant portion
Broken SPF (>10): ██████ a significant portion
Invalid Syntax: ████ a significant portion
Critical Insight: a significant portion of organizations believe they have SPF protection,
but their records are silently broken or misconfigured.
BIMI (Brand Indicators for Message Identification)—which requires p=reject enforcement as a prerequisite—is the strongest leading indicator of email security maturity. Current BIMI adoption rates:
The rapid growth of BIMI adoption correlates directly with Google and Yahoo's 2024 bulk sender authentication mandates. As inbox providers increasingly reward authenticated senders with visual trust signals (brand logos), the business case for reaching p=reject enforcement has become overwhelmingly compelling.
CyberFurl's research team conducted this analysis between January 1, 2026, and March 31, 2026. The methodology is as follows:
Domain Sample: many unique domains were selected using a stratified random sampling methodology from multiple input datasets:
Data Collection: For each domain, we performed the following automated DNS queries:
_dmarc.<domain> to retrieve and parse the DMARC record.<domain> to retrieve and parse the SPF record (identified by v=spf1 prefix).google._domainkey, s1._domainkey, mail._domainkey).Analysis: All collected DNS data was processed through CyberFurl's compliance scoring engine. DMARC record parsing followed RFC 7489 specification. SPF lookup counting followed RFC 7208 specification for the 10-lookup limit calculation.
Limitations: This analysis is based on passive DNS observation of publicly accessible TXT records. It reflects the published policy, not necessarily the operational implementation of email authentication. Internal mail routing may differ from published policies.
Business Email Compromise (BEC) losses continue to accelerate despite increased public awareness. The FBI's Internet Crime Complaint Center (IC3) consistently ranks BEC as the highest-loss cybercrime category, with losses exceeding substantial financial costs annually in the United States alone. The persistence of BEC is directly attributable to the persistent lack of DMARC enforcement—the single technical control that definitively eliminates exact-domain spoofing, the primary BEC vector.
In February 2024, Google and Yahoo implemented mandatory DMARC authentication requirements for bulk email senders. Our 2026 data reveals the measurable impact of this mandate:
p=reject enforcement: +4.1 percentage points (from a significant portion to a significant portion).While the mandate successfully accelerated publication, it notably did not significantly accelerate enforcement. This strongly suggests that the barrier to adoption is not awareness—it is the technical complexity of reaching enforcement without disrupting legitimate mail flows.
The average enterprise organization now uses numerous SaaS applications. A significant percentage of these send transactional, marketing, or operational email on behalf of corporate domains. This "shadow IT sender" explosion is the single largest technical barrier to DMARC enforcement.
An organization attempting to manually map all authorized senders across numerous SaaS applications before enabling p=reject faces a months-long audit project. Without automation, the complexity makes enforcement feel impossible—and organizations stall indefinitely at p=none.
As DMARC adoption has slowly increased, attackers have pivoted toward lookalike domain attacks. Rather than spoofing example.com directly (blocked by a functioning DMARC p=reject policy), they register examp1e.com, example-support.com, or exampleinc.com.
These lookalike domains are entirely unaffected by the legitimate organization's DMARC policy, because they are separate, independently registered domains. Our research found that a significant portion of Fortune 500 companies have at least one registered lookalike domain actively pointing DNS records (suggesting operational use), and a significant portion of the Fortune 500 have lookalike domains with active MX records—meaning those lookalike domains are being used to send email.
Based on our analysis, the following represent the most critical, actionable security gaps in the current global email authentication landscape.
Gap 1: The p=none Comfort Zone. The majority of organizations with a DMARC record (a significant portion) have never moved past monitoring mode. The lack of enforcement is not a strategic decision; it is organizational inertia and technical fear.
Gap 2: Broken SPF is Invisible. a significant portion of scanned domains have SPF records that silently exceed the 10-lookup limit. These organizations believe their SPF is functional. It is not. Their authentication is failing for a percentage of outbound mail, creating exploitable gaps in DMARC alignment.
Gap 3: Healthcare Regulatory Gap. HIPAA does not mandate DMARC, resulting in only a a significant portion enforcement rate in an industry processing extremely sensitive patient data. A regulatory update mandating DMARC enforcement in healthcare would have immediate, massive impact on protecting patients from phishing attacks.
Gap 4: Lookalike Domains Are Unaddressed. DMARC protects the exact domain. It provides zero protection against lookalike domains. The industry has treated these as a separate, lower-priority problem. Our data suggests they are now the primary attack vector for organizations that have achieved p=reject on their primary domain.
Gap 5: DKIM Rotation Neglect. Our research found that a significant portion of organizations using DKIM have not rotated their private signing keys in over a notable timeframe. Long-lived DKIM keys are a significant security risk; if compromised, an attacker can generate valid cryptographic signatures indefinitely.
Based on this research, CyberFurl recommends the following actions for security practitioners, CISOs, and regulators.
Recommendation 1: Mandate DMARC in Healthcare Regulations. Regulators should update HIPAA Security Rule guidance to explicitly mandate DMARC enforcement at p=reject for all covered entities handling PHI. Our data demonstrates that explicit regulatory mandates (BOD 18-01 for federal agencies, PCI-DSS for payment processors) are the most effective driver of adoption.
Recommendation 2: Deploy Hosted SPF Immediately. Any organization with more than 5 unique SaaS senders should immediately deploy Hosted SPF (dynamic SPF flattening) to permanently resolve the 10-lookup limit. This single action eliminates the most common technical barrier to DMARC enforcement.
Recommendation 3: Build a Sender Inventory First. The fear of blocking legitimate mail is the primary reason organizations stall at p=none. Systematically mapping all authorized senders via DMARC aggregate report (RUA) analysis before attempting enforcement eliminates this risk entirely. Automated tooling makes this process achievable in 1-a notable timeframe.
Recommendation 4: Monitor Lookalike Domains Continuously. Achieving p=reject on your primary domain is the floor, not the ceiling. Organizations must deploy continuous lookalike domain monitoring to detect newly registered impersonation domains before they are weaponized in phishing campaigns.
Recommendation 5: Rotate DKIM Keys Quarterly. Implement a quarterly DKIM key rotation schedule. Use 2048-bit RSA keys at minimum (4096-bit recommended). Maintain overlapping key transitions to ensure zero disruption to legitimate mail delivery.
The data in this report directly informs the CyberFurl Email Security platform. Every barrier we have identified—the SPF 10-lookup limit, the complexity of sender discovery, the difficulty of safely reaching enforcement, and the persistence of lookalike domain threats—is addressed by CyberFurl's purpose-built tooling.
p=none to p=reject, allowing security teams to safely authorize all legitimate senders before enforcement.Organizations using the CyberFurl platform achieve p=reject enforcement in an average of a notable timeframe, compared to the industry-wide average of a notable timeframe. Every day at p=none is a day your customers are at risk.
Global aggregate numbers can obscure enormous variation beneath the surface. CyberFurl's 2026 dataset provides granular per-country visibility across 47 nations, revealing that geography, regulatory environment, and institutional history are among the strongest predictors of DMARC maturity. This section provides a country-level breakdown of the regions with the most significant adoption stories—and the greatest remaining exposure.
The United States presents a tale of two ecosystems: federal government agencies operating under some of the world's strictest email authentication mandates, and the private sector navigating adoption largely without equivalent legislative compulsion.
BOD 18-01 Impact
The single most impactful DMARC policy intervention in history remains the Department of Homeland Security's Binding Operational Directive 18-01 (BOD 18-01), issued in October 2017 with a January 2018 enforcement deadline. CyberFurl's 2026 scan of all publicly identifiable .gov domains finds that a significant portion publish a DMARC record, and a significant portion enforce it at p=reject—the highest enforcement rate of any segment in this entire report. The remaining a significant portion of federal .gov domains at below-reject enforcement are almost entirely composed of smaller sub-agency and legacy program domains that remain under active remediation review.
The lesson from BOD 18-01 is unambiguous: a clearly defined mandate with a hard deadline, backed by organizational accountability, produces enforcement outcomes that the private sector has not approached despite years of additional time. The directive did not require new technology. It required political will.
Industry Breakdown (US-Specific)
Within the US private sector, CyberFurl's data reveals stark inter-industry divergence:
US healthcare systems outperform the global healthcare average (a significant portion vs a significant portion globally) but remain critically underprotected given the volume of patient-facing communication these organizations send. US state and local government—operating without a federal-level mandate equivalent to BOD 18-01—sits 45.5 percentage points behind their federal counterparts in enforcement, a gap CyberFurl identifies as one of the most impactful security vulnerabilities in US public-sector email infrastructure.
Fortune 500 Trends
Among Fortune 500 companies specifically, CyberFurl's longitudinal tracking reveals a positive but insufficient trend. The p=reject enforcement rate among Fortune 500 companies has grown from a significant portion in 2023 to a significant portion in 2024 to the current a significant portion in 2026—an average annual increase of approximately 6.8 percentage points per year. At this growth trajectory, the Fortune 500 median would not reach a significant portion enforcement until late 2027. Sector composition matters here: Fortune 500 companies in financial services have an a significant portion enforcement rate, while Fortune 500 companies in manufacturing average just a significant portion, dragging down the aggregate.
The European Union's 2026 DMARC posture reflects a regulatory philosophy that, while not directly mandating DMARC, creates strong indirect incentives through the broader data protection accountability framework.
GDPR's Indirect Mandate Effect
GDPR does not mention DMARC by name. However, Article 32 requires controllers and processors to implement "appropriate technical and organizational measures" to ensure a level of security appropriate to the risk. National data protection authorities (DPAs) in Germany, the Netherlands, and France have increasingly cited inadequate email authentication controls in enforcement decisions related to phishing-facilitated data breaches. CyberFurl's EU domain analysis found that organizations which have received DPA enforcement notices or are under active DPA scrutiny have a DMARC publication rate of a significant portion, compared to a significant portion for the EU average—suggesting that regulatory engagement, even indirect, substantially accelerates adoption.
The EU Network and Information Security Directive (NIS2), which became enforceable in October 2024, further extends the indirect mandate effect by requiring "appropriate technical measures" for email security in essential entities across 18 critical infrastructure sectors. CyberFurl's analysis of domains registered to NIS2-designated essential entities in the EU shows a DMARC publication rate of a significant portion and an enforcement rate of a significant portion—both substantially above EU averages, consistent with NIS2 compliance posture requirements.
UK vs. EU Enforcement Rates
The United Kingdom's post-Brexit regulatory trajectory has produced measurably better DMARC outcomes than the EU27 average. CyberFurl's data shows:
The UK's superior enforcement rate is partly attributable to the National Cyber Security Centre (NCSC) Mail Check service—a free government-provided DMARC scanning and monitoring tool offered to public sector and critical infrastructure organizations—which has driven measurably higher adoption among UK public bodies. The NCSC's Active Cyber Defence (ACD) programme has normalized DMARC as a baseline expectation rather than an advanced security measure, influencing the broader UK enterprise culture around email authentication.
Among EU member states with the highest enforcement rates, the Netherlands (a significant portion at p=reject) and Germany (a significant portion at p=reject) lead, both driven by proactive national CERT communications and public sector mandates from their respective interior ministries.
Asia-Pacific presents the most complex and underperforming regional picture in CyberFurl's 2026 dataset, with an overall DMARC publication rate of just a significant portion and a p=reject enforcement rate of a significant portion—both well below global averages. Understanding why requires examining structural rather than technical factors.
Fragmented Regulatory Environment
Unlike the EU (GDPR), US federal sector (BOD 18-01), or UK (NCSC ACD programme), the Asia-Pacific region lacks any unified, regional email security framework. APAC spans 48 sovereign nations across dramatically different legal systems, regulatory philosophies, and enforcement capacities. Australia's ASD Essential Eight and Singapore's Cyber Security Act create local pockets of higher adoption—Australia's national average sits at a significant portion DMARC publication and Singapore reaches a significant portion—but these are isolated peaks in a largely flat regional landscape. India's large domain population (the largest in APAC by volume) sits at only a significant portion publication rate, significantly impacting the regional aggregate.
Diverse TLD Ecosystem
The Asia-Pacific TLD ecosystem adds operational complexity to DMARC implementation that Western markets underestimate. Organizations managing both an international .com domain and a country-code TLD (.jp, .kr, .cn, .in, .au, .sg, etc.) must implement, maintain, and monitor separate DMARC policies for each registered domain. CyberFurl's data finds that among APAC organizations operating on both a .com and a ccTLD, only a significant portion maintain consistent DMARC policies across all domains—meaning that even organizations with functioning DMARC on their primary domain frequently leave their ccTLD variants unprotected and spoofable.
Language Barriers in DMARC XML Reports
DMARC aggregate reports (RUA) are delivered as compressed XML files. The technical complexity of parsing these reports is a well-documented barrier globally, but it is compounded significantly in markets where engineering documentation, vendor support resources, and security community knowledge bases are predominantly in English. CyberFurl's survey data (collected from 847 APAC IT security practitioners as part of this research cycle) found that a significant portion of respondents cited "difficulty understanding DMARC report data" as a barrier to enforcement—compared to a significant portion of respondents in North American markets. The XML format with its nested auth_results, policy_evaluated, and record structures presents a parsing and interpretation challenge that automated tooling (rather than manual review) is essential for overcoming.
Latin America (LATAM)
CyberFurl's LATAM analysis covers 18 countries with a combined sample of numerous domains. Key findings:
LATAM's primary barriers are resource constraints, limited availability of Portuguese- and Spanish-language DMARC guidance, and the near-total absence of explicit regulatory mandates. However, the rapid growth trajectory—the fastest of any region in this report—suggests the region is approaching an inflection point.
Middle East & Africa (MEA)
The MEA region's a significant portion DMARC publication rate and a significant portion enforcement rate mask significant internal variation:
Based on CyberFurl's observed growth trajectories, regional policy dynamics, and the anticipated regulatory developments described below, we project the following adoption benchmarks for Q1 2027:
Key drivers for 2027 growth projections:
NIS2 full enforcement cycle: The October 2024 NIS2 enforcement date means 2026 is the first year of compliance review cycles. CyberFurl expects EU enforcement rates to accelerate significantly as national DPAs issue their first NIS2-related enforcement actions citing email security gaps, creating strong institutional pressure across the EU27.
Anticipated US healthcare DMARC guidance: Multiple US Senate bills under active consideration in 2026 include provisions requiring HHS to update HIPAA Security Rule guidance to reference DMARC enforcement. If enacted, this would affect over 700,000 covered entities and business associates—the largest single regulatory driver of DMARC adoption since BOD 18-01.
Google Workspace and Microsoft 365 enforcement defaults: CyberFurl anticipates—based on conversations with platform partners and observed product roadmap signals—that both Google and Microsoft will shift their enterprise email platform default configurations to warn administrators of unenforced DMARC policies more prominently, creating an "organizational nudge" effect that drives SMB adoption at scale.
BIMI business case maturation: As BIMI brand logo display becomes standard across Gmail, Apple Mail, and Yahoo Mail for enforced senders, the brand visibility ROI of reaching p=reject becomes quantifiable by marketing teams—bringing non-security business units into the DMARC enforcement conversation for the first time and accelerating internal approvals.
AI-accelerated sender discovery: The emergence of AI-assisted DMARC report analysis tools (including capabilities within CyberFurl's own platform roadmap) will reduce the time required to enumerate and authorize all legitimate senders from weeks to hours, eliminating the primary operational barrier that keeps organizations stalled at p=none.
CyberFurl will publish its 2027 DMARC Adoption Report in Q1 2027, benchmarking these projections against observed outcomes across the same large-scale sample methodology used in this report.
Email remains the primary attack vector for enterprise breaches. Without DMARC enforcement (p=reject or p=quarantine), your exact domain name can be forged by attackers to phish your customers, partners, and employees. This direct impersonation bypasses traditional spam filters and exploits the implicit trust associated with your brand.
The most frequent error in DMARC implementation is remaining in p=none (monitoring mode) indefinitely. While monitoring is a crucial first step, it provides zero protection against active spoofing. Organizations often stall at this phase due to fear of blocking legitimate business emails, lacking the visibility tools needed to confidently transition to enforcement.
When a domain lacks DMARC enforcement, attackers commonly craft highly targeted Business Email Compromise (BEC) campaigns. For example, an attacker can send a fraudulent invoice to your accounts payable department from what appears to be the CEO's exact email address (ceo@yourdomain.com). Without DMARC, the receiving mail server has no policy to reject this forged sender identity.
Adversaries actively query DNS records to identify domains with missing or weak DMARC policies (p=none). These domains are subsequently added to target lists and sold on dark web forums as premium assets for launching high-conversion spear-phishing campaigns, as the emails will easily pass through standard secure email gateways (SEGs).
CyberFurl strongly advises a phased, data-driven approach to DMARC enforcement. Begin by collecting aggregate reports using a dedicated DMARC analysis tool. Identify and authenticate all legitimate sending sources (Marketing platforms, CRM, Helpdesk) using SPF and DKIM alignment. Once visibility is achieved, progressively shift your policy from p=quarantine to p=reject.
This research methodology is powered by the CyberFurl Security Intelligence Hub. To operationalize these insights and protect your own environment, explore our Email Security platform module.
According to CyberFurl's analysis of 1,000,000 domains, only 19.4% of all domains with a published DMARC record have enforced it at p=reject. When measured across the entire domain population (including those without any DMARC record), the full enforcement rate drops to approximately 8.7%.
The financial services sector leads all industries with a DMARC publication rate of 89.2% and an enforcement rate (p=reject) of 61.7%, driven by strict regulatory mandates including FFIEC guidelines and PCI-DSS requirements for payment systems.
CyberFurl's scan of the Fortune 500 found that 42.1% have DMARC enforced at p=reject, meaning 57.9% of the largest companies in the United States remain vulnerable to exact-domain spoofing attacks as of Q1 2026.
The primary barriers to full enforcement are the SPF 10-DNS-lookup limit (which breaks email deliverability when exceeded), the complexity of discovering all authorized SaaS senders, and organizational fear of accidentally blocking legitimate mail streams.
The industry average is 8.7 months from initial DMARC record publication to reaching p=reject enforcement. Organizations using dedicated email security platforms like CyberFurl average 28 days.