← Blog
B2B SaaS DMARC Enforcement in 2026: 63% Protecting, 13% Wide Open

By DMARCdrift Team

B2B SaaS DMARC Enforcement in 2026: 63% Protecting, 13% Wide Open

4 min readdmarcsaasemail-securityresearch

87% of the Forbes Cloud 100 and top B2B SaaS brands publish a DMARC record, but only 63% enforce it. That means a quarter of major SaaS companies can have their sending domain impersonated right now, and the email will be delivered to their customers' inboxes. SaaS companies live in email: product notifications, onboarding sequences, billing alerts, password resets, security warnings, and sales outreach. All of it is spoofable without enforcement.

The numbers

We checked 100 top B2B SaaS companies from the Forbes Cloud 100 and adjacent lists in May 2026:

  • 87% have a DMARC record (87/100)
  • 63% at p=reject (63/100)
  • 24% have DMARC but not enforcing
  • 13% have no DMARC record

The 87% deployment rate reflects a technically sophisticated industry that knows what DMARC is. The 63% enforcement rate reflects how hard it is to audit and align the sending infrastructure of a modern SaaS company.

Why SaaS domains are high-value spoofing targets

Customer conditioning. SaaS users are trained to respond to email from their tools: "Your invoice is ready," "Action required: verify your account," "Someone logged in from a new device." These messages generate clicks because they've been conditioned to. A spoofed version is indistinguishable without DMARC enforcement.

Business email compromise. Spoofed billing and vendor emails from SaaS brands are a documented multi-billion dollar fraud category. A "change your payment method" email appearing to come from a recognized SaaS vendor gets opened and acted on. At p=none, that email will be delivered.

Account takeover at scale. Password reset and security alert emails from SaaS platforms carry high trust. If the platform's domain is spoofable, attackers can send credential harvest pages under the guise of a legitimate reset flow.

Why SaaS email infrastructure is hard to lock down

Modern SaaS companies typically have 5-8 independent sending systems all using the same root domain:

  • Marketing automation (HubSpot, Marketo, Salesforce Marketing Cloud): needs DKIM alignment configured per platform
  • Product notifications (SendGrid, Mailgun, Postmark): needs DKIM signing on the sending subdomain
  • Sales outreach (Outreach, Apollo, Salesloft): another sending system, often managed by a separate team
  • Customer success (Intercom, Front, Zendesk): email replies from support tools
  • Billing (Stripe, Chargebee): payment notifications
  • Security alerts (in-house or via third party): auth and access notifications

Every one of these systems needs to be aligned before p=reject is safe. The audit takes months. If any sending system is misconfigured, enforcing blocks legitimate mail.

The 24% at p=none are almost certainly mid-migration through exactly this process, not unaware that the work needs to happen.

The 13% with no record

13 of 100 top SaaS companies have no DMARC record at all. For a technically sophisticated industry, this is the more surprising finding. The most likely explanations:

  • Secondary domains for acquired products that haven't been brought into the main email program
  • Domains used for internal tooling that turned out to be customer-facing
  • Relatively new entrants to the top-100 list that haven't yet addressed email infrastructure

A SaaS company with a recognizable secondary domain at p=none is still a spoofing risk if that domain appears in customer communications or is widely associated with the brand.

The DMARCdrift angle

SaaS companies managing multiple domains (the main product domain, acquired product domains, internal tooling domains, regional domains) are exactly the use case DMARCdrift is built for. When you reach p=reject on your primary domain and then add a new customer communication platform six months later, you need to know before your customers start receiving rejected mail.

DMARCdrift monitors aggregate reports across all your domains, sends a weekly summary of alignment status, and fires an alert when a new sending source appears that isn't authenticated.

Full SaaS company results are at the DMARC adoption research page. If you're a SaaS founder managing multiple domains, DMARCdrift is built for exactly this: monitoring aggregate reports across all your domains and alerting when alignment changes.