Executive summary
Join us as we dive deep into the current state of DMARC adoption across various industries, analyze the effectiveness of different DMARC policies, and underscore why DMARC is a non-negotiable component of any comprehensive cybersecurity strategy in this disinformation age.
This report highlights the critical importance of foundational security practices, particularly Domain-based Message Authentication, Reporting, and Conformance (DMARC), in this challenging landscape. DMARC provides a simple, cost-effective, and highly reliable method to prevent bad actors from sending emails using your email domain. By authenticating the source of emails, DMARC layers on top of inbound protection and helps you address outbound email impersonation, thereby protecting employees, brands, and preventing disinformation campaigns from leveraging trusted domains.
Introduction
DMARC is an email authentication protocol designed to protect domains from unauthorized use in email messages, such as phishing and spoofing. It works by enhancing existing authentication protocols, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), aligning these protocols with the domain in the visible “From” header of email messages. It provides domain owners with reports and monitoring to offer insights into email authentication and usage, enabling better security and deliverability practices.
Why DMARC matters more than ever
In an era marked by AI-driven attacks and widespread disinformation, trust in digital communications is eroding. Malicious actors are increasingly exploiting email to impersonate brands, launch phishing campaigns, and spread false information—often using sophisticated methods made simpler by emerging AI technologies. This environment calls for foundational, secure defenses that can prevent the majority of these malicious attempts from seeing success.
In this report, we’ll help you understand DMARC and why it is so important in the fight against email phishing and spoofing. We’ll also share data on global and industry-specific adoption rates across a dozen different industries, showing how companies and organizations across a spectrum of focus areas are choosing to protect their domains against phishing and spoofing.
DMARC is critical in the
modern email landscape
DMARC is pivotal in securing email communications and protecting against growing threats like phishing, spoofing, and the deliberate spread of disinformation. Here’s why it’s indispensable:
1
Prevents domain spoofing
DMARC ensures that only authorized senders can use your domain to send emails. This protects your brand and customers from phishing attacks that impersonate your organization.
2
Strengthens email authentication
By aligning with SPF and DKIM, DMARC provides an additional layer of verification, ensuring that email headers are legitimate and match the sender’s domain, while allowing domain owners to stand up and say that all mail they send should be properly authenticated.
3
Provides visibility and monitoring
DMARC generates reports that give domain owners insights into who is sending emails on their behalf and how authentication are performing. This transparency helps organizations detect unauthorized use and improve email security.
4
Enhances trust, security, and deliverability
Implementing DMARC signals to email providers that your domain is secure, improving sender reputation, and increasing the likelihood that legitimate emails reach the inbox.
5
Part of a growing mandate
Microsoft, Yahoo, and Google require bulk email senders to implement DMARC. The PCI DSS 4.0 standard includes DMARC, noting it as a “good practice,” and multiple US government agencies, including the National Institute of Standards and Technology (NIST) and U.S. Department of Homeland Security (DHS), have either recommended or mandated that email senders should implement DMARC. Every day, more and more industry oversight groups, standards bodies, and gatekeeping entities are indicating that DMARC is a best practice and should be implemented.
By showcasing how DMARC meets the challenges posed by AI-enabled spoofing and disinformation—and highlighting its growing acceptance as a standard practice—this report aims to underscore why DMARC is an essential line of defense in 2026.
DMARC adoption does not mean DMARC protection
DMARC policies are another area of concern. In many industries, a significant number of companies have implemented a policy of p=none, likely in response to the Microsoft, Yahoo, and Google email sender requirements (Yahoo and Google announced in 2023, Microsoft in 2025), not realizing that while this “checks the box” for delivering mail to mailbox providers, it does nothing to actually protect email domains against malicious, false use.
So, while DMARC adoption rates might appear high, a significant percentage of tracked domains in each segment are still unprotected.
Why DMARC matters in 2026
Throughout 2025, bad actors leveled up. Artificial Intelligence is now part of the phishing and spoofing playbook, where malicious email senders can now use AI-driven automation and personalization to endlessly attempt different and personalized variations on crafting the perfect falsified message to attempt to trick their way past filters and confuse end recipients into handing out sensitive information. These advanced techniques to exploit weaknesses in email systems make DMARC more critical than ever for securing your email domains against misuse.
DMARC combats these threats by preventing the unauthorized use of a domain and ensuring that only legitimate emails are delivered to recipients. No matter how well-crafted malicious content could be, if the sender attempts to spoof your domain, and you reject that attempt with a strong DMARC policy, they’re not getting their attacks through to your inbox (or to others) using your domain.
Because of its importance as part of the security infrastructure, industry, government, and regulatory bodies worldwide are increasingly mandating DMARC compliance for industries handling sensitive data, such as finance and healthcare. Major hosts of email inboxes, like Microsoft, Apple, Google, and Yahoo, now require bulk email senders to implement DMARC, improving deliverability and reputation for compliant organizations. Failing to comply with email authentication and DMARC mandates now results in email messages being relegated to the spam folder, or even worse, being rejected outright.
DMARC is a non-negotiable for organizations combating email fraud, phishing, and spoofing. Its ability to adapt to growing threats, meet regulatory demands, and provide visibility into email ecosystems makes it indispensable. By leveraging DMARC’s robust authentication and reporting capabilities, businesses can safeguard their brand, build trust, and protect their domains.