← Blog
38% of Cybersecurity Companies Don't Enforce DMARC on Their Own Domain

By DMARCdrift Team

38% of Cybersecurity Companies Don't Enforce DMARC on Their Own Domain

4 min readdmarccybersecurityresearch

We checked 40 cybersecurity companies for DMARC enforcement in May 2026. 25 of them enforce at p=reject. The other 15 (companies that sell email security, identity protection, and anti-phishing products to enterprise customers) either haven't made it to full enforcement or timed out during the scan.

This isn't a finding about technical ignorance. Every company in this group knows what DMARC is and why it matters. Some of them are in the business of telling their customers to implement it.

The numbers

  • 40 cybersecurity companies checked
  • 63% at p=reject (25/40)
  • 85% have a DMARC record (34/40)
  • 22.5% have a record but are at p=quarantine rather than p=reject (9/40)
  • 15% timed out (inconclusive, 6/40): Splunk, Barracuda Networks, F5 Networks, Imperva, LogRhythm, Lacework

No companies in this scan had zero DMARC records. The gap is entirely companies sitting at p=quarantine rather than moving to p=reject.

The 9 at p=quarantine

These companies sell security products but haven't moved their own domain to full enforcement:

Company Domain Policy
Fortinet fortinet.com quarantine
Qualys qualys.com quarantine
Rapid7 rapid7.com quarantine
Ironscales ironscales.com quarantine
Akamai akamai.com quarantine, pct=0
Vectra AI vectra.ai quarantine
Cybereason cybereason.com quarantine
Hunters.ai hunters.ai quarantine
Snyk snyk.io quarantine

Akamai's entry requires a note: p=quarantine; pct=0 means DMARC exists on paper but zero messages are subjected to the policy. This is functionally identical to p=none. Akamai is the vendor behind Prolexic and Enterprise Application Access, a company that sells DDoS protection and application security to major enterprises, and its own sending domain is unprotected.

Why this matters beyond the irony

Vendor trust is a real consideration. Enterprise buyers increasingly check whether security vendors practice their own recommendations. DMARC enforcement is visible and verifiable; anyone can check it in seconds. A vendor selling email security that isn't enforcing DMARC on its own domain is a signal that buyers can and do notice.

Customer exposure. If a security vendor's domain can be spoofed, customers who receive email from that vendor are exposed to impersonation attacks. "From: security-alerts@rapid7.com" is a high-trust vector into security teams' inboxes. If rapid7.com is at p=quarantine, that email will be delivered.

Credibility in the sales process. Security companies recommend DMARC enforcement to their customers. When a customer's security team asks whether the vendor itself is enforcing, the answer should be yes.

The charitable explanation

Getting from p=quarantine to p=reject requires fixing every sending source that isn't aligned. Cybersecurity companies have the same email complexity that any software company does: marketing automation, product notification systems, customer communication platforms, security alert emails, partner integration sends. Identifying and aligning every sending source takes months even for technically competent organizations.

The companies at p=quarantine are almost certainly mid-migration. The problem isn't that they don't know how; it's that the organizational work to audit and align every sender hasn't been finished.

The comparison

The sectors with the highest enforcement rates all have external pressure:

Cybersecurity companies (63%) have no equivalent external mandate. Their pressure is internal, reputational, and apparently not quite sufficient to push nine companies across the quarantine-to-reject threshold.

The full dataset with results for all 40 cybersecurity companies is at the DMARC adoption research page. The email authentication checker shows whether your domain is enforcing.