2,259 domains scanned. Last updated: May 22, 2026. Overall DMARC adoption: 73.8% of domains have a DMARC record (1,667 domains). At p=reject (full enforcement): 60.4%. No DMARC: 26.2%. Industry breakdown: Fortune 100: 87% have DMARC, 67% at p=reject; Top 25 banks: 84% have DMARC, 76% at p=reject; SaaS top 100: 87% have DMARC, 63% at p=reject; Cybersecurity companies: 85% have DMARC, 62.5% at p=reject; Major media: 83.3% have DMARC, 53.3% at p=reject; Top 50 universities: 86% have DMARC, 28% at p=reject; Hospital systems: 92% have DMARC, 68% at p=reject; State governments: 76% have DMARC, 26% at p=reject. Source: dmarcdrift.com research hub.

DMARC Adoption Research

Who's protecting emailand who isn't

We scanned 2,259 domains across Fortune 100 companies, US banks, universities, cybersecurity firms, media outlets, hospitals, and government agencies to measure real-world DMARC adoption. Scans run automatically and this page updates with fresh data each month.

Last scanned May 22, 2026. Check your own domain →

Domains scanned

2,259

across all categories

Have DMARC

73.8%

1,667 domains

At p=reject

60.4%

full enforcement

Unprotected

26.2%

no DMARC record

By category

Each bar shows the share of domains at p=reject (full enforcement) out of total domains in that category.

Fortune 100

Top 100 US companies by revenue

67%

at p=reject

87% have DMARC87/100 domains

Top 25 banks

Largest US banks by assets (Federal Reserve)

76%

at p=reject

84% have DMARC21/25 domains

SaaS top 100

Forbes Cloud 100 + widely recognized B2B brands

63%

at p=reject

87% have DMARC87/100 domains

Cybersecurity companies

Companies selling email security and identity products

62.5%

at p=reject

85% have DMARC34/40 domains

Major media

Top US and global news publishers

53.3%

at p=reject

83.3% have DMARC25/30 domains

Top 50 universities

US News Best National Universities

28%

at p=reject

86% have DMARC43/50 domains

Hospital systems

Largest US health systems by revenue

68%

at p=reject

92% have DMARC23/25 domains

State governments

All 50 US state government portal domains

26%

at p=reject

76% have DMARC38/50 domains

Key findings

  1. 01

    State governments lag federal by 44 percentage points. Only 26% of state government portals enforce DMARC at p=reject, compared to 69.8% of federal agencies, despite both handling sensitive citizen communications.

  2. 02

    Universities deploy DMARC widely but rarely enforce it. 86% of top universities have a DMARC record, but only 28% enforce it at p=reject. The majority sit at p=none, monitoring mode that delivers spoofed mail anyway.

  3. 03

    38% of cybersecurity companies don't fully enforce DMARC on their own domain. Companies selling email security products to enterprises: 25 of 40 checked have p=reject at full enforcement. The rest are at partial or monitoring policy, or have no record at all.

  4. 04

    Major news organizations: 53.3% fully protect their sending domain. A spoofed email appearing to come from a major news outlet is a high-value phishing asset. 14 of the 30 media outlets checked either have no DMARC or have not moved past monitoring mode.

  5. 05

    Banks lead all categories at 76% enforcement. The financial sector, historically a top phishing target, shows the strongest DMARC enforcement of any category in this study.

Domain-level results

Covers the 8 curated categories (420 domains). Federal government and Tranco top-500 results are summarized below; the full domain list for those is too large to display here.

Changes →

Large dataset results

US federal gov

All federal .gov domains (CISA dotgov-data)

69.8%

at p=reject

74.8% have DMARC1,002/1,339 domains

Tranco top 500

Research-grade list of highest-traffic web domains

39.2%

at p=reject

61.4% have DMARC307/500 domains

Methodology

What we measure. For each domain we resolve a single DNS record, the _dmarc.{domain} TXT record, and read its published DMARC policy. We do not send mail, inspect inboxes, or evaluate SPF or DKIM alignment. This scan measures what a domain declares in DNS, nothing more.

Domain selection. This run covered 2,259 domains from three kinds of source. Eight curated lists are checked into the repository and reviewed by hand: Fortune 100, the 25 largest US banks, a SaaS top 100, the top 50 US universities, 40 cybersecurity companies, 30 major media outlets, 25 hospital systems, and all 50 US state government portals. Two lists are fetched fresh on every scan: the Tranco top 500 highest-traffic web domains, and every US federal executive-branch .gov domain from the CISA dotgov-data repository.

How policy is classified. We parse the p= and pct= tags from the record. A domain counts as at p=reject only when p=reject is set and the policy applies to 100% of mail, meaning pct=100 or no pct tag at all, which defaults to 100. A record where p=reject or p=quarantine applies to less than 100% of mail is counted as partial enforcement, not full enforcement. A domain with no DMARC TXT record, or a TXT record that does not begin with v=DMARC1, is recorded as having no DMARC.

DNS and timeouts. Lookups run against the Google (8.8.8.8) and Cloudflare (1.1.1.1) public resolvers with a 5-second timeout. A domain whose lookup times out or fails is recorded as an error rather than as a policy result. Errors remain in the total domain count, so a scan with many timeouts will show a lower share of domains with DMARC. Read these alongside the error count for that run and treat large swings with caution. Errors are re-checked on the next scan.

Cadence. The scan runs automatically on the first of each month via GitHub Actions, which opens a pull request with the refreshed dataset. This page rebuilds from that data when the pull request is merged.

Limitations. A published p=reject record is not proof that a domain is correctly enforced. This scan cannot tell whether SPF and DKIM are aligned, whether the policy is actually applied at receiving mail servers, or whether a record is misconfigured in ways that would weaken it in practice. A single _dmarc apex lookup also does not capture per-subdomain policy. Figures are a point-in-time snapshot of published records on the scan date shown above, not a measurement of delivered protection.

Is your domain on this list?

Check your own domain's spoofability score and see your DMARC, SPF, and DKIM configuration in seconds.