Having a DMARC Record Isn't the Same as Being Protected
73.8% of the 2,259 major domains we track have a DMARC record. Only 60.4% are actually protected from domain spoofing. The 13-point gap between those two numbers represents organizations that published a record, checked the compliance box, and left their sending domain wide open to impersonation.
That gap is called p=none.
What p=none actually does (and doesn't do)
A domain at p=none has a DMARC record in DNS. Receiving servers can look it up. Aggregate reports flow to the rua= address you configured. That's where the protection ends.
p=none does not stop spoofed mail from being delivered. The policy value literally means "take no action on failures." A message that fails DMARC authentication under p=none lands in the recipient's inbox exactly like legitimate mail.
The record says "I am watching." It does not say "block the fakes."
This distinction matters because most compliance checks ask the wrong question. Security audits ask "do you have a DMARC record?" Vendor questionnaires ask "is DMARC configured?" Google's 2024 bulk sender requirements mandate a DMARC record with a rua= address; p=none satisfies that fully. None of these checks distinguish between a domain that's monitoring and a domain that's protected.
The gap is worst where you'd least expect it
| Category | Deployed | p=reject | Gap |
|---|---|---|---|
| Hospitals | 92% | 68% | 24 pts |
| Universities | 86% | 28% | 58 pts |
| Fortune 100 | 87% | 67% | 20 pts |
| SaaS | 87% | 63% | 24 pts |
| Cybersecurity vendors | 85% | 63% | 22 pts |
| State governments | 76% | 26% | 50 pts |
| Banks | 84% | 76% | 8 pts |
Universities are the most extreme case: 86% have a record, only 28% enforce. Fifty-eight points of apparent compliance that provides no spoofing protection. A spoofed email from a top university's domain, disguised as a financial aid alert, a professor's message, or a credential reset, will be delivered to the recipient's inbox.
State governments look nearly as bad: 76% deployed, 26% enforcing. California at p=none, New York with no record, Florida with no record. These are among the highest-value targets for government-impersonation phishing.
Banks have the tightest gap at 8 points. Bank phishing produces measurable customer fraud that banks pay to remediate. That direct financial liability drove the discipline other industries don't have.
Why organizations stay at p=none
Moving from p=none to p=reject, the path detailed in the DMARC enforcement roadmap, requires fixing every sending source first:
- Collect aggregate reports for 30–60 days
- Enumerate every source sending as your domain (the reports show you this)
- Configure DKIM signing or SPF alignment for each source
- Move to
p=quarantineand monitor for legitimate mail going to spam - Move to
p=reject
The bottleneck is step 2. Organizations consistently find more sending systems than IT knew about. Third-party billing platforms. Old marketing automation instances. Acquired subsidiaries with their own email stacks. Conference registration tools. Each one needs to be aligned or shut down before enforcement is safe.
Most organizations publish the record, point rua= to an inbox nobody monitors, and stop there.
What the enforcement gap means for you
If your organization is in one of these high-deployment, low-enforcement sectors, your DMARC record is doing less than you think. The test is simple: look at your _dmarc TXT record. If the policy is p=none, spoofed email from your domain is being delivered right now.
The DMARC checker shows your current policy. The email authentication checker shows the full picture: SPF, DKIM, and DMARC alignment in one pass.
After enforcement: why monitoring matters
Reaching p=reject is not a one-time task. A domain at enforcement can drift back into misalignment as the organization changes. A new marketing tool is added. A product team deploys a notification service. An acquisition brings a new email stack. Without ongoing monitoring, you find out about misalignment through deliverability failures or through a spoofing incident.
DMARCdrift alerts you when alignment drops and sends a weekly digest of your authentication status. It's the difference between watching your reports and acting on them.
The full dataset with deployment vs. enforcement rates across all industries is at the DMARC adoption research page. The DMARC checker shows your current policy. DMARCdrift monitors your alignment and alerts you when it changes.
