A wave of new industry data published this spring lands a single, urgent message: most organizations have done just enough to avoid getting blocked by Gmail and Outlook — and absolutely nothing to stop attackers from impersonating their domains.
Two major reports — EasyDMARC’s 2026 DMARC Adoption & Enforcement Report and Valimail’s 2026 State of DMARC Report — put hard numbers to a gap that security teams have warned about for years. The gap between “having DMARC” and “being protected by DMARC” has never been wider, and the threat landscape has never made closing it more urgent.
The Adoption Numbers Look Good. The Protection Numbers Do Not.
EasyDMARC’s report, drawn from analysis of 1.8 million domains, found that 52.1% of domains now have a DMARC record — up from 47.7% in 2025 and representing 79% growth over three years. That headline sounds encouraging. The detail underneath it is not.
Of those domains with DMARC records, only around 9% combine an enforcement policy with aggregate reporting — the configuration that actually blocks spoofed emails and keeps you informed about who is sending on your behalf. The remaining 91% have either:
- A
p=nonepolicy that monitors but blocks nothing, or - An enforcement policy with no reporting, leaving them flying blind
Valimail’s independent report found a similar “enforcement gap”: DMARC awareness has reached 78%, but actual enforcement has plateaued at just 42%, creating a 36-point gap between organizations that know about DMARC and those that are actually protected by it.
Why Does p=none Miss the Point?
When Google and Yahoo announced bulk sender requirements in early 2024, and when Microsoft followed suit in mid-2025, millions of domain owners rushed to publish a DMARC record. Many published v=DMARC1; p=none; — the minimum required to satisfy mailbox provider compliance checks.
Here is what p=none does: it tells receiving mail servers to monitor unauthenticated email from your domain and send you reports — but to deliver it anyway. A phisher who spoofs your domain to send a credential-harvesting campaign to your customers will sail right through a p=none policy. You might eventually see that traffic in your aggregate reports. Your customers will have already been hit.
Legitimate enforcement starts at p=quarantine (sending unauthenticated mail to spam) and culminates at p=reject (blocking it entirely). The EasyDMARC data shows only 411,935 domains — less than half of those with any DMARC record — have reached quarantine or reject.
The Threat Context Makes This Urgent
These compliance gaps exist against a backdrop of rapidly escalating email-based attacks.
Valimail tracked more than 2.5 billion suspicious emails on behalf of its customers in 2025 alone. Microsoft’s security telemetry detected 8.3 billion email-based phishing threats in just the first quarter of 2026. AI-powered phishing campaigns — featuring flawless prose that convincingly mimics executive communications, vendor invoices, and IT alerts — rose 204% year-over-year, with one malicious email detected every 19 seconds.
Phishing-as-a-Service (PhaaS) kits now power 90% of high-volume campaigns, meaning actors with little technical skill can target your customers or employees using your exact domain identity if you have not moved beyond p=none.
The Fortune 500 has largely gotten the message: 95% now have DMARC, with more than 80% at enforcement-level policies. Smaller organizations — the Inc. 5000, regional businesses, nonprofits — lag significantly, making them both attractive impersonation targets and delivery risks for their recipients.
What Google and Microsoft Actually Require (and Why It Is Not Enough)
Both major mailbox providers set their requirements as floors, not ceilings:
- Google (Gmail): Domains sending 5,000+ messages per day must have SPF, DKIM, and a DMARC record at
p=noneor higher. Gmail began rejecting non-compliant mail outright in late 2025. - Microsoft (Outlook.com, Hotmail, Live, MSN): Same volume threshold, same SPF/DKIM/DMARC requirement. Enforcement started May 5, 2025; non-compliant mail is now rejected with error
550 5.7.515.
Meeting these requirements keeps your mail out of the rejection bin. It does not protect your domain from impersonation by bad actors. Checking the compliance box and stopping there is exactly how 91% of DMARC-enabled domains remain vulnerable.
How to Actually Close the Gap
Closing the DMARC enforcement gap is a three-phase process — not a one-time DNS change.
Phase 1 — Monitor. Publish p=none with a rua reporting address. Give it two to four weeks and collect aggregate (RUA) reports from every mailbox provider that receives mail from your domain.
Phase 2 — Identify and authenticate. Review your aggregate reports to find every legitimate email source: your ESP, your CRM, your ticketing platform, your transactional email service. Make sure each one is covered by your SPF record or signed with DKIM using your domain.
Phase 3 — Enforce. Once your legitimate mail streams are all authenticating cleanly, move to p=quarantine, monitor for a week or two, then escalate to p=reject. At reject, unauthorized email that claims to be from your domain is turned away at the door.
The reporting step is the one most organizations skip when they rush to meet compliance deadlines. Without it, moving to enforcement risks blocking your own legitimate mail. With it, the path to p=reject is methodical and low-risk.
Ready to go beyond compliance and into actual protection? Excello Mail gives you a fully managed path from p=none to p=reject — including aggregate report analysis, source discovery, and guided enforcement. Start your free trial at excello.email →