More than half of the world's top domains now have a DMARC record. That milestone, crossed for the first time in 2026, sounds like progress. The underlying numbers tell a more complicated story.
Email security company EasyDMARC released its 2026 DMARC Adoption Report, analyzing the top 1.8 million domains globally along with targeted data from the Fortune 500 and Inc. 5000. The headline finding: DMARC adoption reached 937,931 domains (52.1%) in 2026, up from 47.7% in 2025, while domains using p=quarantine or p=reject rose to 411,935. Progress, yes. But for email marketers and business owners whose revenue depends on inbox placement, the gap between having DMARC and actually using it to protect a domain is the number that matters most.
The Enforcement Gap Is the Real Problem
Publishing a DMARC record is not the same as enforcing one. A p=none policy tells receiving mail servers to monitor and report on authentication failures but take no action. Spoofed emails still reach inboxes. Of the 937,931 domains with valid DMARC records in early 2026, a staggering 525,996 remain stuck at p=none, the monitoring-only policy that does nothing to stop spoofed emails from reaching recipients.
The gap between adoption and genuine protection is even starker when you look beyond the top 1.8 million domains. A Red Sift global analysis of 73.3 million domains found that as of December 2025, only 2.5% enforce the strictest p=reject policy, while 83.9% have no DMARC record at all.
Only around 9% of domains combine enforcement policies with reporting, the configuration required to both block spoofed emails and maintain visibility into email ecosystems. That combination, an active enforcement policy (p=quarantine or p=reject) paired with aggregate RUA reporting, is what security practitioners consider comprehensive protection. In 2026, only 159,691 domains met the stronger benchmark of p=reject plus RUA.
For email marketers, this matters directly. Despite mandatory authentication requirements from Google (February 2024), Yahoo (February 2024), and Microsoft (May 2025), widespread non-compliance means fully authenticated senders are 2.7 times more likely to reach inboxes than their unauthenticated counterparts. If your competitors are not enforcing DMARC, you gain a real deliverability advantage by doing so.
