Research10 min read

The State of DMARC 2026: 47% enforced, 51% publishing and doing nothing

We parse every DMARC record in the Tranco top-1M, every day. The 2026 picture: 459,124 records, 234,559 of them at p=none, enforcement at 47.16% — and a quiet crossover in June that says a lot about where DMARC programs actually stop.

DMARC turned from a niche authentication protocol into a compliance checkbox somewhere around February 2024, when Google and Yahoo started requiring it from bulk senders. Two and a half years later, the DNS tells us exactly what that did — and did not do — to the world's email posture. This report is based on daily DNS snapshots of the Tranco top-1M domains, built on OpenINTEL data from the University of Twente: 192 snapshots from January 2016 through July 2026. As of the 2026-07-05 snapshot, 664,715 of those domains publish an MX record, 623,370 publish SPF, and 459,124 publish a DMARC record. Everything below comes from parsing those 459,124 records — the same parse that updates every day in our daily email infrastructure report.

The headline split: half of DMARC is a no-op

A DMARC record answers one question for receiving mail servers: what should happen to a message that claims to be from this domain but fails authentication? The three answers are p=none (deliver it anyway, just send me reports), p=quarantine (put it in spam), and p=reject (refuse it at SMTP time). Here is how the top-1M splits:

DMARC policy split across 459,124 records in the Tranco top-1M, 2026-07-05 snapshot
PolicyDomainsShare of DMARC records
p=none234,55951%
p=quarantine114,824roughly a quarter
p=reject114,390roughly a quarter

The number we track as the real health metric is stricter than the raw policy field: we count a domain as enforced only if it publishes quarantine or reject and applies it to all mail (pct=100, explicit or default). By that definition, 47.16% of DMARC-publishing domains enforce. The gap between the raw quarantine/reject counts and that 47.16% figure is the population of domains that publish an enforcement policy but water it down with pct values below 100 — a configuration that mostly signals a migration someone never finished.

050k100k150k200k202420252026233kp=none114kp=quarantine112kp=reject
DMARC policy counts (domains) in the Tranco top-1M, 2023–2026. Source: our daily OpenINTEL-based scan of the Tranco top-1M.

June 2026: quarantine overtakes reject

For the entire history of this dataset, p=reject led p=quarantine among enforcing domains. In June 2026 that flipped for the first time: 114,824 domains at quarantine against 114,390 at reject. The margin is thin, but the direction is telling. Reject is where a finished DMARC project ends; quarantine is where a cautious one pauses. A world where quarantine grows faster than reject is a world where more organizations are entering the enforcement funnel than are completing it.

There are defensible reasons to sit at quarantine — complex forwarding topologies, third-party senders that fail alignment in ways you have not finished untangling, or plain risk aversion in organizations where a single falsely rejected invoice email escalates to the board. But quarantine as a terminal state has a real cost: spoofed mail still reaches the user, one folder away, and users do dig through spam folders. We unpack the plateau in our dedicated analysis of the crossover.

The 2024 dip: what the Google/Yahoo mandate actually did

The enforcement share over the last three years is not a straight line, and the shape is the single most misread statistic in DMARC commentary. The sequence: 43.69% in June 2023, up to 46.91% by December 2023, then down to 42.04% in February 2024 and 40.98% by June 2024 — before recovering to 44.6% in December 2025 and reaching 47.16% in July 2026.

Did the bulk-sender mandate make DMARC worse? No — it changed the denominator. Google and Yahoo required senders above 5,000 messages per day to publish a DMARC record, with no requirement that the policy enforce anything. The result was a wave of brand-new p=none records through 2024: tens of thousands of domains doing the minimum to keep their newsletters delivering. Absolute enforcement counts kept rising the whole time — there was never a period where enforcing domains declined — but the flood of monitoring-mode records diluted the share. By late 2025 the mandate wave had been absorbed and a portion of those p=none domains had begun moving up the ladder, pushing the share to its current all-time high.

Compliance is not protection

The mandate measurably expanded DMARC adoption. It did not, by itself, expand DMARC protection — a p=none record satisfies the checkbox while leaving the domain exactly as spoofable as before. The 2024 dip in enforcement share is that distinction, drawn in data.

What p=none actually buys you (and what it does not)

To be fair to the 234,559: p=none is the correct first step. It turns on aggregate reporting, which is how you discover every service sending mail as your domain before you break one of them. The problem is not starting at none — it is ending there. A p=none record with no reporting address is a parked decision; a p=none record that has been collecting reports for three years is an abandoned one. Attackers can read your policy as easily as we can — a single DNS query — and a monitoring-mode record tells them spoofed mail will be delivered. The mechanics of that exposure are covered in our p=none deep dive.

Below the policy field: sp= and the reporting ecosystem

Two more dimensions of the dataset are worth flagging, both of which we track qualitatively in the full report.

  • Subdomain policy (sp=). Without an explicit sp= tag, subdomains inherit the apex policy — which is usually what you want. A meaningful pattern in the records we parse is the deliberate weakener: an apex at p=reject paired with sp=none, published during a migration to keep some subdomain sender working, then forgotten. Every such record is an open flank: attackers do not need your apex when anything.yourdomain.com passes unenforced.
  • The rua= market. Aggregate-report addresses point overwhelmingly at a recognizable set of specialist processors: Valimail, dmarcian, EasyDMARC, Red Sift, Proofpoint EFD, Agari, URIports, Postmark's DMARC tooling, and a long tail of others. The choice of processor is visible to anyone who queries the record — a domain's rua= quietly discloses its security vendor. We classify these vendors daily in the report rather than quoting shares here, since the market moves month to month.

Where this data comes from, and how to check it

Every number in this article regenerates nightly. The pipeline pulls OpenINTEL's daily DNS measurements for the Tranco top-1M, extracts and parses each DMARC record, and publishes the aggregate — policy split, pct handling, enforcement share, and the full historical series back to 2016. If you want the current figures rather than this article's 2026-07-05 snapshot, the machine-readable endpoint is api/latest.json, and there is an llms.txt index for agents and crawlers. The methodology — including its honest limitations — is documented alongside the data. Cite it, script against it, or use it to benchmark your own portfolio's posture against the top million.

FAQ

Is 47.16% enforcement good or bad?

It is an all-time high for this dataset, so the direction is positive. But it also means the majority of DMARC-publishing domains in the top million still deliver spoofed mail to users — either at p=none or at a diluted pct. Enforcement is the finish line, and most programs have not crossed it.

Why do you count pct=100 in your enforcement definition?

Because pct below 100 means the policy is applied to only a sample of failing mail. A domain at p=reject pct=50 still delivers half of all spoofed messages. Counting raw policy fields overstates real-world protection, so we require quarantine or reject applied to all mail.

Did the Google/Yahoo rules fail, then?

No — they succeeded at what they mandated, which was adoption and reporting for bulk senders. The 2024 dip in enforcement share was a denominator effect from new p=none records, not a decline in enforcing domains. Absolute enforcement counts rose throughout. The rules just never required enforcement.

How often is the underlying data updated?

Daily. The scan parses DMARC, SPF, and MX records for the Tranco top-1M every night, and the report and api/latest.json endpoint update with each run. This article reflects the 2026-07-05 snapshot with 459,124 DMARC records.
Related reading
Found this useful? Share it
AB
About the author
Artem Berezin
B2B Deliverability Specialist

B2B deliverability specialist with 5+ years of hands-on outreach experience. Built campaigns reaching 90,000+ inboxes across 20+ countries — and fixed the deliverability problems that came with that scale.

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required