DMARC turned from a niche authentication protocol into a compliance checkbox somewhere around February 2024, when Google and Yahoo started requiring it from bulk senders. Two and a half years later, the DNS tells us exactly what that did — and did not do — to the world's email posture. This report is based on daily DNS snapshots of the Tranco top-1M domains, built on OpenINTEL data from the University of Twente: 192 snapshots from January 2016 through July 2026. As of the 2026-07-05 snapshot, 664,715 of those domains publish an MX record, 623,370 publish SPF, and 459,124 publish a DMARC record. Everything below comes from parsing those 459,124 records — the same parse that updates every day in our daily email infrastructure report.
The headline split: half of DMARC is a no-op
A DMARC record answers one question for receiving mail servers: what should happen to a message that claims to be from this domain but fails authentication? The three answers are p=none (deliver it anyway, just send me reports), p=quarantine (put it in spam), and p=reject (refuse it at SMTP time). Here is how the top-1M splits:
| Policy | Domains | Share of DMARC records |
|---|---|---|
p=none | 234,559 | 51% |
p=quarantine | 114,824 | roughly a quarter |
p=reject | 114,390 | roughly a quarter |
The number we track as the real health metric is stricter than the raw policy field: we count a domain as enforced only if it publishes quarantine or reject and applies it to all mail (pct=100, explicit or default). By that definition, 47.16% of DMARC-publishing domains enforce. The gap between the raw quarantine/reject counts and that 47.16% figure is the population of domains that publish an enforcement policy but water it down with pct values below 100 — a configuration that mostly signals a migration someone never finished.
June 2026: quarantine overtakes reject
For the entire history of this dataset, p=reject led p=quarantine among enforcing domains. In June 2026 that flipped for the first time: 114,824 domains at quarantine against 114,390 at reject. The margin is thin, but the direction is telling. Reject is where a finished DMARC project ends; quarantine is where a cautious one pauses. A world where quarantine grows faster than reject is a world where more organizations are entering the enforcement funnel than are completing it.
There are defensible reasons to sit at quarantine — complex forwarding topologies, third-party senders that fail alignment in ways you have not finished untangling, or plain risk aversion in organizations where a single falsely rejected invoice email escalates to the board. But quarantine as a terminal state has a real cost: spoofed mail still reaches the user, one folder away, and users do dig through spam folders. We unpack the plateau in our dedicated analysis of the crossover.
The 2024 dip: what the Google/Yahoo mandate actually did
The enforcement share over the last three years is not a straight line, and the shape is the single most misread statistic in DMARC commentary. The sequence: 43.69% in June 2023, up to 46.91% by December 2023, then down to 42.04% in February 2024 and 40.98% by June 2024 — before recovering to 44.6% in December 2025 and reaching 47.16% in July 2026.
Did the bulk-sender mandate make DMARC worse? No — it changed the denominator. Google and Yahoo required senders above 5,000 messages per day to publish a DMARC record, with no requirement that the policy enforce anything. The result was a wave of brand-new p=none records through 2024: tens of thousands of domains doing the minimum to keep their newsletters delivering. Absolute enforcement counts kept rising the whole time — there was never a period where enforcing domains declined — but the flood of monitoring-mode records diluted the share. By late 2025 the mandate wave had been absorbed and a portion of those p=none domains had begun moving up the ladder, pushing the share to its current all-time high.
The mandate measurably expanded DMARC adoption. It did not, by itself, expand DMARC protection — a p=none record satisfies the checkbox while leaving the domain exactly as spoofable as before. The 2024 dip in enforcement share is that distinction, drawn in data.
What p=none actually buys you (and what it does not)
To be fair to the 234,559: p=none is the correct first step. It turns on aggregate reporting, which is how you discover every service sending mail as your domain before you break one of them. The problem is not starting at none — it is ending there. A p=none record with no reporting address is a parked decision; a p=none record that has been collecting reports for three years is an abandoned one. Attackers can read your policy as easily as we can — a single DNS query — and a monitoring-mode record tells them spoofed mail will be delivered. The mechanics of that exposure are covered in our p=none deep dive.
Below the policy field: sp= and the reporting ecosystem
Two more dimensions of the dataset are worth flagging, both of which we track qualitatively in the full report.
- Subdomain policy (sp=). Without an explicit
sp=tag, subdomains inherit the apex policy — which is usually what you want. A meaningful pattern in the records we parse is the deliberate weakener: an apex at p=reject paired withsp=none, published during a migration to keep some subdomain sender working, then forgotten. Every such record is an open flank: attackers do not need your apex whenanything.yourdomain.compasses unenforced. - The rua= market. Aggregate-report addresses point overwhelmingly at a recognizable set of specialist processors: Valimail, dmarcian, EasyDMARC, Red Sift, Proofpoint EFD, Agari, URIports, Postmark's DMARC tooling, and a long tail of others. The choice of processor is visible to anyone who queries the record — a domain's
rua=quietly discloses its security vendor. We classify these vendors daily in the report rather than quoting shares here, since the market moves month to month.
Where this data comes from, and how to check it
Every number in this article regenerates nightly. The pipeline pulls OpenINTEL's daily DNS measurements for the Tranco top-1M, extracts and parses each DMARC record, and publishes the aggregate — policy split, pct handling, enforcement share, and the full historical series back to 2016. If you want the current figures rather than this article's 2026-07-05 snapshot, the machine-readable endpoint is api/latest.json, and there is an llms.txt index for agents and crawlers. The methodology — including its honest limitations — is documented alongside the data. Cite it, script against it, or use it to benchmark your own portfolio's posture against the top million.