Where both sources agree is on the enforcement gap below the Fortune 500. Only 15.2% of Inc. 5000 companies have reached the p=reject enforcement level, and more than half sit on a monitoring-only p=none policy that provides visibility but leaves them exposed to phishing attacks. Broader domain-level data is more sobering still: as of December 2025, only 14.9% of domains from a sample of 73.3 million had implemented any DMARC policy, and just 2.5% enforced the strictest p=reject setting, with 83.9% of all domains showing no visible DMARC record at all, according to Red Sift's global DMARC adoption tracker.

As EasyDMARC notes in its 2026 report, DMARC adoption has become widespread, but adoption alone does not guarantee protection. Many organizations have implemented DMARC records to satisfy technical requirements yet have not progressed to policies that actively block spoofed email.

For email marketers, the practical consequence is real. CSC domain security research shows that 80% of domains resembling Global 2000 brands are owned by third parties, and 42% of those are configured to send email. When criminals send convincing lookalike emails that pass their own DMARC checks, the recipients who get burned often stop engaging with the real brand entirely.

The Blockchain Proposal

TrustNFT's white paper includes a four-layer implementation roadmap covering SPF, DKIM, DMARC, and blockchain verification, along with a technical comparison of what each layer protects and what vulnerabilities remain unaddressed without the full stack.

The company's research indicates that implementing the full authentication stack combined with blockchain-anchored domain verification reduces successful impersonation attacks by up to 67% when fully deployed. TrustNFT Verify allows companies to register their sending domains on the blockchain through a process requiring a single DNS record addition, with full verification typically completed within 48 hours.

It is worth noting that TrustNFT is a vendor with a commercial product to sell. The 67% figure comes from the company's own research, and the white paper serves as both a technical argument and a product pitch. Independent verification of that claim is not yet available.

What Email Marketers Should Take Away

DMARC remains a non-negotiable foundation. The average cost of a phishing-related breach was approximately $4.88 million in 2025, and U.S. organizations that enforced DMARC at the policy level reduced successful phishing delivery from 69% to 14%, according to the EasyDMARC 2025 DMARC Adoption Report. That alone justifies getting to p=reject.

But the TrustNFT paper highlights something marketers often overlook: authentication is invisible to customers. When your brand gets impersonated via a lookalike domain, your subscribers cannot tell the difference, and the reputational damage lands on you regardless of how clean your own DNS records are.

The immediate priorities for any marketing or growth team are clear:

• Move your DMARC policy off p=none to p=quarantine or p=reject
• Set up RUA aggregate reporting so you can see who is sending on your behalf
• Monitor for lookalike domain registrations targeting your brand
• Ensure every third-party sending platform (ESP, CRM, transactional mail) is properly included in your SPF record and signing with DKIM

Whether blockchain verification becomes a mainstream layer of the email trust stack remains to be seen. What is already clear is that DMARC alone was never designed to solve the problem of brand impersonation at the domain ecosystem level, and treating it as a complete solution leaves both your customers and your sender reputation exposed.

Where both sources agree is on the enforcement gap below the Fortune 500. Only 15.2% of Inc. 5000 companies have reached the p=reject enforcement level, and more than half sit on a monitoring-only p=none policy that provides visibility but leaves them exposed to phishing attacks. Broader domain-level data is more sobering still: as of December 2025, only 14.9% of domains from a sample of 73.3 million had implemented any DMARC policy, and just 2.5% enforced the strictest p=reject setting, with 83.9% of all domains showing no visible DMARC record at all, according to Red Sift's global DMARC adoption tracker.

As EasyDMARC notes in its 2026 report, DMARC adoption has become widespread, but adoption alone does not guarantee protection. Many organizations have implemented DMARC records to satisfy technical requirements yet have not progressed to policies that actively block spoofed email.

For email marketers, the practical consequence is real. CSC domain security research shows that 80% of domains resembling Global 2000 brands are owned by third parties, and 42% of those are configured to send email. When criminals send convincing lookalike emails that pass their own DMARC checks, the recipients who get burned often stop engaging with the real brand entirely.

The Blockchain Proposal

TrustNFT's white paper includes a four-layer implementation roadmap covering SPF, DKIM, DMARC, and blockchain verification, along with a technical comparison of what each layer protects and what vulnerabilities remain unaddressed without the full stack.

The company's research indicates that implementing the full authentication stack combined with blockchain-anchored domain verification reduces successful impersonation attacks by up to 67% when fully deployed. TrustNFT Verify allows companies to register their sending domains on the blockchain through a process requiring a single DNS record addition, with full verification typically completed within 48 hours.

It is worth noting that TrustNFT is a vendor with a commercial product to sell. The 67% figure comes from the company's own research, and the white paper serves as both a technical argument and a product pitch. Independent verification of that claim is not yet available.

What Email Marketers Should Take Away

DMARC remains a non-negotiable foundation. The average cost of a phishing-related breach was approximately $4.88 million in 2025, and U.S. organizations that enforced DMARC at the policy level reduced successful phishing delivery from 69% to 14%, according to the EasyDMARC 2025 DMARC Adoption Report. That alone justifies getting to p=reject.

But the TrustNFT paper highlights something marketers often overlook: authentication is invisible to customers. When your brand gets impersonated via a lookalike domain, your subscribers cannot tell the difference, and the reputational damage lands on you regardless of how clean your own DNS records are.

The immediate priorities for any marketing or growth team are clear:

• Move your DMARC policy off p=none to p=quarantine or p=reject
• Set up RUA aggregate reporting so you can see who is sending on your behalf
• Monitor for lookalike domain registrations targeting your brand
• Ensure every third-party sending platform (ESP, CRM, transactional mail) is properly included in your SPF record and signing with DKIM

Whether blockchain verification becomes a mainstream layer of the email trust stack remains to be seen. What is already clear is that DMARC alone was never designed to solve the problem of brand impersonation at the domain ecosystem level, and treating it as a complete solution leaves both your customers and your sender reputation exposed.