DMARC Adoption Statistics 2026: Scanning 2,259 Domains
73.8% of well-known domains now have a DMARC record, but only 60.4% actually enforce it. That 13-point gap is the core finding from our May 2026 scan of 2,259 domains across 9 industries: most headline adoption numbers overcount protection because having a record and being protected from spoofing are not the same thing.
The headline numbers
- 73.8% of scanned domains have a DMARC record
- 60.4% are at
p=reject, the only policy that actually stops spoofed mail from being delivered - 26.2% have no DMARC record at all
The 73.8% versus 60.4% split is the key finding. That 13-point gap represents organizations that published a record and remain spoofable. A domain at p=none collects reports. It does not stop impersonation.
For comparison: DmarcDkim.com tracks 1.2 million domains globally at roughly 11.2% full enforcement. Our curated sample skews much higher because well-known brands face more impersonation pressure and have more resources to respond to it.
By industry
| Category | Deployed | p=reject | Gap |
|---|---|---|---|
| Banks (top 25) | 84% | 76% | 8 pts |
| Federal .gov | 86% | 70% | 16 pts |
| Hospitals (largest systems) | 92% | 68% | 24 pts |
| Fortune 100 | 87% | 67% | 20 pts |
| SaaS (Cloud 100 + top B2B) | 87% | 63% | 24 pts |
| Cybersecurity vendors | 85% | 63% | 22 pts |
| News media | 83% | 53% | 30 pts |
| Universities (top 50) | 86% | 28% | 58 pts |
| State governments | 76% | 26% | 50 pts |
What explains the rankings
The pattern is consistent: external pressure produces enforcement. Categories at the top have either regulatory mandates or a direct, measurable cost from spoofing attacks. Categories at the bottom have neither.
Banks (76% enforcement) have been fighting email impersonation for 20 years. Credential phishing from spoofed bank domains produces customer fraud that banks compensate directly. PCI DSS guidance and OCC supervision have created a compliance culture that treats email security as non-negotiable.
Federal agencies (70%) were pushed by CISA's Binding Operational Directive 18-01 in 2017, which required all agencies to publish DMARC with a path to enforcement. A mandate drove the number from near-zero to 70% in a few years. State governments, with no equivalent directive, sit at 26%.
Hospitals (68%) have HIPAA compliance culture behind them. Healthcare IT is accustomed to documentation and audit requirements. The 92% deployment rate, the highest of any category, shows hospitals heard the "publish a record" message clearly. The 24-point gap to enforcement reflects decentralized sending infrastructure that's hard to lock down.
The cybersecurity paradox
The most counterintuitive finding: cybersecurity vendors, including companies that sell email security, anti-phishing, and identity protection products, are at 63% enforcement.
38% of the security companies in this study don't enforce DMARC on their own domain. Nine companies sit at p=quarantine, including Fortinet, Akamai (at pct=0, effectively no enforcement), Rapid7, and Qualys. None are missing a record entirely, but getting from quarantine to reject requires the same organizational work for security companies that it does for everyone else.
For the full vendor-by-vendor breakdown: 38% of Cybersecurity Companies Don't Enforce DMARC on Their Own Domain →
The 58-point gap at universities
Universities are the starkest case in the dataset. 86% deployed, 28% enforcing. The same problem appears at state governments: 76% deployed, 26% enforcing.
Both categories have clearly heard the message. Both have failed to get to enforcement. The shared reason: complex, decentralized sending infrastructure that nobody controls end-to-end. Universities have dozens of schools, departments, and research systems all sending email from the main domain. State agencies operate independently under the same portal domain.
The federal government had the same structural problem and solved it under mandate. Without equivalent pressure, decentralized organizations stall at p=none.
More on the university case: 86% of Top Universities Have DMARC. Only 28% Actually Enforce It. →
State vs. federal: State Governments Are 44 Points Behind Federal on DMARC Enforcement →
Methodology
2,259 domains across 9 curated categories, scanned May 2026. DNS queries use a 15-second timeout; results labeled "timeout" are inconclusive and not counted as no-DMARC. This is a curated sample of well-known organizations, not a representative internet sample. The full dataset with per-domain results is at the DMARC adoption research page, updated monthly.
Domain-level results for every organization in this study are at the DMARC adoption research page, updated monthly. The DMARC checker shows your current posture. DMARCdrift sends weekly alignment summaries and alerts when your authentication changes.
