Valid DMARC adoption grew from 523,921 domains in 2023 to 858,782 in 2025 and 937,931 in early 2026. However, p=none remains the most common policy globally, and many organizations still use DMARC primarily for visibility rather than active protection. In 2026, 525,996 domains remained at p=none.

A p=none policy generates reporting data but does nothing to block spoofed or unauthenticated email. Analysis of the top 10 million internet domains found that only 22.9% of domains that send DMARC reporting data to themselves have a DMARC reject policy. Under the new Bitsight scoring, a p=none configuration will likely receive a lower grade than a fully enforced p=reject policy, meaning the rating gap between organizations that have deployed enforcement and those that haven't is about to become visible in an external score.

How Bitsight Will Grade DMARC

Only domains with specific criteria will generate a DMARC finding: domains protected by a DMARC record, and domains not protected by a DMARC record that are associated with an MX record. If an MX record is present and no DMARC record is configured, this results in a finding with the issue "Record does not exist" and a Bad grade.

For entities that do not have associated domains, SPF and DKIM will now default to N/A and will have no negative impact on the rating. Previously, these entities received default grades despite having no domains to evaluate.

By measuring DMARC alongside SPF and DKIM, Bitsight strengthens the Rating's ability to surface evidence-based protections against spoofing and phishing, giving security and risk teams a clearer, more actionable indicator to demonstrate improved email security posture.

What Email Marketers and Business Owners Should Do Now

The preview window is a practical opportunity to close the gap before scores shift. Here are the steps most relevant to marketing and growth teams:

1. Audit your current DMARC record. Check whether your sending domains have a valid _dmarc TXT record in DNS. Tools like MXToolbox can verify this in seconds.
2. Move beyond p=none. A monitoring-only policy will not earn a strong Bitsight grade. Work toward p=quarantine or p=reject with pct=100. An active policy using p=reject or p=quarantine that acts on all authentication failures with pct=100 is required for the best possible grade.
3. Check all sending domains, including non-email domains. Bitsight looks for properly configured SPF records for all of an organization's domains, even those not used for sending email, because threat actors may attempt to spoof email from a domain even if the organization does not use it for email.
4. Brief stakeholders before the preview period ends. Many organizations share their Bitsight Rating with vendors, partners, boards, and insurers. The preview period is an opportunity to brief these stakeholders and ensure alignment.

The broader data is clear on why this matters. Countries with mandatory DMARC requirements show dramatically different phishing attack patterns. The US reduced successful phishing delivery from 69% to 14%, while countries without enforcement mandates like the Netherlands saw vulnerability increase to 97%. For any organization managing email marketing at scale, the business case for DMARC enforcement is now both a security argument and a ratings argument.

Valid DMARC adoption grew from 523,921 domains in 2023 to 858,782 in 2025 and 937,931 in early 2026. However, p=none remains the most common policy globally, and many organizations still use DMARC primarily for visibility rather than active protection. In 2026, 525,996 domains remained at p=none.

A p=none policy generates reporting data but does nothing to block spoofed or unauthenticated email. Analysis of the top 10 million internet domains found that only 22.9% of domains that send DMARC reporting data to themselves have a DMARC reject policy. Under the new Bitsight scoring, a p=none configuration will likely receive a lower grade than a fully enforced p=reject policy, meaning the rating gap between organizations that have deployed enforcement and those that haven't is about to become visible in an external score.

How Bitsight Will Grade DMARC

Only domains with specific criteria will generate a DMARC finding: domains protected by a DMARC record, and domains not protected by a DMARC record that are associated with an MX record. If an MX record is present and no DMARC record is configured, this results in a finding with the issue "Record does not exist" and a Bad grade.

For entities that do not have associated domains, SPF and DKIM will now default to N/A and will have no negative impact on the rating. Previously, these entities received default grades despite having no domains to evaluate.

By measuring DMARC alongside SPF and DKIM, Bitsight strengthens the Rating's ability to surface evidence-based protections against spoofing and phishing, giving security and risk teams a clearer, more actionable indicator to demonstrate improved email security posture.

What Email Marketers and Business Owners Should Do Now

The preview window is a practical opportunity to close the gap before scores shift. Here are the steps most relevant to marketing and growth teams:

1. Audit your current DMARC record. Check whether your sending domains have a valid _dmarc TXT record in DNS. Tools like MXToolbox can verify this in seconds.
2. Move beyond p=none. A monitoring-only policy will not earn a strong Bitsight grade. Work toward p=quarantine or p=reject with pct=100. An active policy using p=reject or p=quarantine that acts on all authentication failures with pct=100 is required for the best possible grade.
3. Check all sending domains, including non-email domains. Bitsight looks for properly configured SPF records for all of an organization's domains, even those not used for sending email, because threat actors may attempt to spoof email from a domain even if the organization does not use it for email.
4. Brief stakeholders before the preview period ends. Many organizations share their Bitsight Rating with vendors, partners, boards, and insurers. The preview period is an opportunity to brief these stakeholders and ensure alignment.

The broader data is clear on why this matters. Countries with mandatory DMARC requirements show dramatically different phishing attack patterns. The US reduced successful phishing delivery from 69% to 14%, while countries without enforcement mandates like the Netherlands saw vulnerability increase to 97%. For any organization managing email marketing at scale, the business case for DMARC enforcement is now both a security argument and a ratings argument.