DMARC is usually discussed as something senders configure. But it cuts both ways: the domain you are emailing publishes a policy too, and that policy tells you how seriously its mail infrastructure takes authentication. As of the 2026-07-05 snapshot of our daily email infrastructure report, 459,124 domains in the Tranco top-1M publish DMARC, and 47.16% of them enforce — meaning p=quarantine or p=reject at full coverage. That is not a fringe posture anymore. For an SDR, a prospect's DMARC record is a free pre-flight signal: it predicts what their filters will do to your message and which shortcuts will get you burned.
The enforcement landscape in one paragraph
Of the 459,124 DMARC records we track, 234,559 — 51% — still sit at p=none, monitoring without acting. The enforcing half split in a notable way in June 2026: quarantine (114,824 domains) overtook reject (114,390) for the first time in the dataset. Companies increasingly stop at quarantine rather than going all the way to reject. For you as a sender the difference is practical: a reject-domain drops failing mail before anyone sees it, while a quarantine-domain shunts it to spam where a curious prospect might still find it. Neither is where you want to live.
What actually breaks when the prospect enforces
1. Lookalike and cousin domains stop being clever
Some outbound teams register lookalike domains — companyname-hq.com, getcompanyname.io — to protect their main domain's reputation. That is fine. What enforcement kills is the older, dirtier trick: putting the prospect's own brand or a spoofed colleague address anywhere in the From field. An enforcing receiver validates alignment between the From domain and the authenticated domain; anything that smells like impersonation of an enforced domain is dropped or quarantined mechanically, no human judgment involved.
2. Misaligned sending tools fail silently
The most common self-inflicted wound: your sequencer, CRM or mail merge tool sends "from" your domain but authenticates as itself. SPF passes for the tool's domain, DKIM signs with the tool's key, and DMARC alignment for your From domain fails. Receivers at p=none shops often let this through. Enforcing receivers are the ones that also tend to scrutinize inbound authentication hardest — the same security posture that made them deploy reject makes their inbound filtering stricter. Your message arrives looking exactly like the spoofing their policy exists to stop.
3. Reply-chain and forwarding tricks degrade
Tactics that involve forwarding, "re:" fake threads, or routing through intermediate mailboxes all add hops where authentication can break. Against a security-mature receiver, every broken hop is another reason to junk you.
How to check the prospect's policy in five seconds
One DNS query per domain:
- Run
dig TXT _dmarc.prospect.com +short. - Read the
p=tag:nonemeans monitoring only,quarantinemeans failing mail goes to spam,rejectmeans it is refused outright. - Check
pct=if present — a value under 100 means partial rollout; treat it as enforcement anyway. - No record at all? The domain is less security-mature — but its mailbox provider's defaults still apply.
Batch this across your list and you get a free security-maturity segment: enforcing domains correlate with stricter gateways, security teams and procurement processes — useful signal well beyond deliverability.
The same lookup applies to you. If your sending domain sits at p=none — like 51% of DMARC publishers — security-conscious receivers notice. A cold email from a non-enforcing domain, hitting a reject-enforcing company, starts the conversation with a credibility gap.
The sender-side checklist for enforcing targets
- Align everything. SPF and DKIM must both pass for the exact From domain your sequences use, including any subdomain. One misaligned tool in the stack poisons the segment.
- Enforce your own domain. Move from
p=nonethrough quarantine to reject on your sending infrastructure. It protects your brand and reads as maturity to the receivers most likely to check. - Drop impersonation-adjacent tactics for the enforcing segment entirely: no spoofed threads, no brand-borrowing From names.
- Watch bounces per segment. Reject-domains give you a clean, immediate signal when alignment breaks — use it as an early-warning system for your whole setup.
Before pointing a sequence at an enforcing segment, verify the whole chain end to end: send to a seed inbox and confirm SPF, DKIM and DMARC all pass as received, not as configured. An inbox placement test shows you the authentication verdicts a real receiver computes on your actual message — the exact thing a p=reject prospect's filter will evaluate before any human reads a word.