← Blog
Fortune 100 DMARC in 2026: 67% at p=reject, 13% Exposed

By DMARCdrift Team

Fortune 100 DMARC in 2026: 67% at p=reject, 13% Exposed

4 min readdmarcfortune-100enterpriseresearch

67% of Fortune 100 companies have DMARC at p=reject, 13% have no record at all, and a third of the list can have their sending domain impersonated right now. Google's 2024 bulk sender requirements drove real movement since the last major studies, but Disney, Northrop Grumman, and a handful of major insurers are still exposed.

The numbers

We checked all 100 Fortune 100 companies in May 2026:

  • 87% have a DMARC record (87/100)
  • 67% are at p=reject (67/100)
  • 13% have no DMARC record (13/100)
  • 20% have a record but aren't at full enforcement

The 87/67 split means 20 companies with a record are still spoofable. Add the 13 with no record and a third of the Fortune 100 can have their sending domain impersonated right now.

Who hasn't done it

No DMARC record (1 notable): Northrop Grumman (northropgrumman.com), a $40B+ defense contractor with no DMARC on its primary domain. This is a high-value government contracting target for spear-phishing, and the sending domain is unprotected.

At p=none (monitoring only, spoofed mail delivered): Chevron, Marathon Petroleum, Valero Energy, Walt Disney, Allstate, New York Life, Prudential Financial are among the organizations sitting at p=none. Disney is the most visible: the Disney+ and ESPN email brand reaches hundreds of millions of inboxes, and spoofed mail from disney.com will be delivered. The three major insurers (Allstate, New York Life, Prudential) are especially notable: they send high-trust financial communications that phishers would love to impersonate.

At p=quarantine (partial enforcement): Apple, Amazon, Cigna, Walgreens, HCA Healthcare, Visa, Uber, AMD, and others. Apple and Amazon are at quarantine rather than reject. Both are enormous sending domains with complex infrastructure; they're almost certainly mid-migration, not unaware.

DNS timeout (inconclusive): AT&T, Boeing, ExxonMobil, JPMorgan Chase, Mastercard, Meta, and others timed out during the scan. These results are inconclusive; DNS infrastructure issues at the target can cause timeouts that don't reflect actual policy. Check the live research page for current results.

What changed since 2022

In studies from 2020–2021, Fortune 500 enforcement rates were around 50%. The current 67% for Fortune 100 companies reflects real movement. The primary drivers:

Google's February 2024 requirements. Any domain sending 5,000+ emails per day to Gmail must have DMARC published. Every Fortune 100 company meets that threshold. Even companies that weren't technically concerned about spoofing protection had business pressure to publish a record.

Enterprise security vendor push. Email security platforms (Proofpoint, Mimecast, Abnormal Security) have made DMARC enforcement a standard part of their deployment and review cycles. Their Fortune 100 customers heard the message through existing vendor relationships.

Why some large enterprises stall

Fortune 100 companies aren't ignorant of DMARC requirements. The organizations sitting at p=none or p=quarantine are almost certainly mid-migration through a complex, months-long process.

At enterprise scale, moving to p=reject means auditing dozens of independent sending systems: corporate email, marketing automation platforms, customer communications infrastructure, partner integration systems, B2B notification services, employee benefits platforms. Each one needs DKIM signing or SPF alignment configured correctly before enforcement is safe.

The companies that haven't reached p=reject have the technical knowledge. What they have is organizational complexity.

What this means for anyone doing business with Fortune 100 companies

A spoofed email from a major enterprise's domain is credible. The brand is recognized, the domain looks right, and there's often a plausible business reason for contact. Employees who receive email from recognized Fortune 100 suppliers or customers are a target.

If you receive high-trust email from large enterprise domains, the email authentication checker can tell you whether the sender's domain is enforcing DMARC. If it isn't, the domain can be impersonated.

Full Fortune 100 domain-level results are at the DMARC adoption research page. The email authentication checker shows whether your enterprise domain is enforcing.