In October 2023, Google and Yahoo announced that senders pushing more than 5,000 messages a day to their users would need, among other things, a DMARC record — effective February 2024. The announcements were widely described as the moment DMARC would finally go mainstream. Two years later, we can measure what happened, because DMARC policies live in public DNS and we have been recording them daily. As of the 2026-07-05 snapshot, our dataset covers 459,124 DMARC records across the Tranco top-1M domains, with daily history reaching back to 2016.
The headline is counterintuitive: the mandate made the enforcement rate go down. The share of DMARC-publishing domains with an enforcing policy (quarantine or reject at pct=100) stood at 46.91% in December 2023. By February 2024 it had dropped to 42.04%, and by June 2024 it bottomed at 40.98%. It then climbed slowly — 44.6% by December 2025 — and reached 47.16% in July 2026. Two years of turbulence to end up roughly one point above the starting line.
The denominator effect, not a retreat
No one downgraded their policies en masse in early 2024. What the data shows is a denominator effect: the mandate pulled a wave of first-time DMARC publishers into the dataset, and almost all of them arrived at p=none — the monitoring-only policy that satisfies the letter of the requirement. New none-records grew the denominator faster than enforcement grew the numerator, so the enforced share sank even while the absolute number of enforcing domains kept rising throughout the entire period, as it has for years.
This is worth being precise about, because both optimistic and pessimistic readings of the mandate get it wrong. The optimistic reading ("the rules drove mass DMARC adoption") is true only for record presence. The pessimistic reading ("the rules did nothing") misses that a p=none record is a real first step: it delivers aggregate reports, which are the raw material for ever reaching enforcement. What the mandate did not do — and never claimed to do — is force anyone up the policy ladder.
A p=none record makes you compliant with the bulk-sender rules and does precisely nothing to stop anyone spoofing your domain. Of the 459,124 DMARC records we track, 234,559 — 51% — sit at none. Their owners passed the checklist and remain exactly as spoofable as before.
The slow recovery, 2024–2026
The climb from 40.98% back to 47.16% over two years is the more encouraging part of the chart. It means a meaningful fraction of the mandate cohort did what the DMARC ladder intends: publish none, watch reports, fix alignment, then tighten. The recovery also coincides with a compositional shift among enforcers — in June 2026, quarantine overtook reject for the first time (114,824 vs 114,390 domains), suggesting many of these newer enforcers stop at the milder policy. We unpack that crossover here.
Whether the curve keeps climbing depends on incentives that the 2024 rules did not create. Mailbox providers required a record; nothing currently requires a policy. Watch the enforced-share line in the daily email infrastructure report — it updates every night, and its slope is the single best summary of whether the ecosystem is finishing what the mandate started.
What senders should take from two years of data
If you run email marketing, the mandate era has three durable lessons:
- The requirements are now table stakes, not differentiators. SPF, DKIM, a DMARC record, one-click unsubscribe, low complaint rates — the February 2024 checklist is simply the price of admission to Gmail and Yahoo inboxes at volume.
- Don't stop where the checklist stops. If your own domain is one of the p=none majority, you have monitoring without protection. The path is mechanical: read aggregate reports, fix misaligned senders, step to quarantine with
pctramps, then reject. The State of DMARC 2026 lays out the full policy landscape you are stepping into. - Verify outcomes, not checkboxes. The mandate taught the industry that authentication can be "done" on paper and broken in practice — a misaligned tool, a forgotten subdomain, a flattened SPF record. The ground truth is where your mail actually lands. A periodic seed test across Gmail, Yahoo, Microsoft and the rest shows you what no DNS checker can: whether compliant mail is reaching inboxes or compliantly rotting in spam.