Having a DMARC record and actually using it to stop spoofed email are, it turns out, very different things. Valimail’s 2026 State of DMARC Report documents that gap with unusual precision: DMARC awareness – the percentage of domains that have published any DMARC record at all – has reached 78%. Enforcement – the percentage that have set that policy to quarantine or reject, meaning it actually does something to stop spoofed mail – sits at just 42%.
That 36-point gap is not a minor bookkeeping distinction. It is the precise window that a growing wave of AI-powered impersonation tools is designed to exploit, and the report’s headline finding – “Email Protection Stalls as AI-Powered Impersonation Reaches Record Highs” – describes exactly what is happening inside it.
What the Policy Levels Actually Mean
The distinction matters because the three available DMARC policy values are not equivalent:
p=nonepublishes a record and requests aggregate reports, but instructs receiving mail servers to deliver the message regardless of authentication outcome. The domain owner learns that spoofing is happening; the spoofed mail still reaches the inbox.p=quarantineroutes failing messages to junk or spam folders.p=rejectinstructs receiving servers to discard failing messages entirely.
Only quarantine and reject policies stop spoofed delivery. The 78% awareness figure captures everyone with any DMARC record in DNS. The 42% enforcement figure captures only those whose policy actually prevents anything.
EasyDMARC’s parallel 2026 Adoption Report, examining more than 1.8 million domains, found that of the 937,931 domains with valid DMARC records, 525,996 – more than half – remain stuck at p=none. A domain at p=none has announced an intention to eventually protect itself. It has not actually protected itself.
The AI Acceleration
What makes the enforcement gap acutely dangerous in 2026 is what attackers can now do with it. Valimail tracked more than 2.5 billion suspicious emails on behalf of its customers in 2025 alone – a figure that reflects not random noise but targeted impersonation campaigns aimed at specific organizations and individuals.
AI lowers the cost and raises the quality ceiling for impersonation attacks simultaneously. Producing a convincing phishing email that closely mimics an executive’s communication style once required research, time, and a degree of linguistic skill. Large language models generate those lures in seconds, personalized to the recipient, indistinguishable from human-written text. The social engineering layer of the attack has been industrialized.
The authentication layer – the part that determines whether an email claiming to come from a domain is actually authorized by that domain – has not kept pace. A domain at p=none provides no resistance to that attack. The AI-written lure arrives with no friction.
Where the Gaps Are Largest
The Valimail report breaks enforcement rates down by industry, and the contrast between sectors is striking. Online Retail leads, with 72.73% of domains at enforcement-level policies. Manufacturing follows at 67.61%. These sectors have normalized DMARC enforcement to the point where it is now a standard operational baseline, not a security project.
Regulated industries tell a more complicated story. Financial Services sits at 59.18% enforcement and Healthcare at 57.42%. Both sectors face mandatory reporting requirements that have pushed awareness upward. But awareness and enforcement are not the same requirement. Organizations in both sectors that published a p=none record to satisfy an auditor’s checkbox have technically complied with the awareness requirement while remaining entirely unprotected from spoofed email carrying their domain.
The most exposed sectors are Arts and Recreation at 31.61% enforcement and Higher Education at 33.71%. The higher education figure aligns with previously documented findings: universities operate fragmented sending environments – student information systems, alumni outreach platforms, department-level marketing tools, event ticketing systems, research collaboration services – that create enough SPF and DKIM alignment complexity to make enforcement feel risky. The result is that institutions handling significant volumes of personally identifiable data and high-value financial transactions remain at monitoring-only policies years after the threat environment demanded something stronger.
The Enterprise vs. Mid-Market Divide
EasyDMARC’s domain-level analysis reveals a structural gap between large and mid-market organizations. Fortune 500 companies have nearly closed the enforcement gap: 475 of 500 have valid DMARC records, more than 80% are at enforcement-level policies, and 62.7% have reached p=reject – the strongest available setting.
The picture is starkly different one level down. Among Inc. 5000 companies, only 15.2% have reached p=reject. The mid-market adopted DMARC broadly in response to Gmail, Yahoo, and Microsoft authentication mandates, but has not followed through to the enforcement stage. The mandates required a DMARC record. They did not require one that actually stopped anything.
That asymmetry has a practical consequence: attackers targeting mid-market organizations – finance, professional services, technology companies below the Fortune 500 threshold – face meaningfully lower authentication barriers than they would when targeting the largest enterprises.
BIMI Stalls at 4%
Brand Indicators for Message Identification – the standard that displays a verified brand logo in compatible inboxes – remains a largely unrealized opportunity for email trust signaling. Valimail’s report shows global BIMI adoption stalled at just 4%, despite the standard being supported by Gmail, Apple Mail, and Yahoo Mail.
BIMI requires a p=quarantine or p=reject DMARC policy as a technical prerequisite. Since more than half of all DMARC-configured domains cannot yet meet that requirement, low BIMI adoption is partly explained by the enforcement gap itself. But even among organizations that have reached enforcement, BIMI uptake is minimal. The incentive – a verified brand logo in the recipient’s inbox that signals confirmed sender identity – has not yet proved compelling enough to drive the VMC certificate acquisition and DNS configuration the standard requires.
That may change as AI-generated phishing becomes the default attacker capability. When recipients cannot distinguish AI-written from human-written text, visual identity signals at the inbox level become one of the few remaining indicators that a message is genuinely from whom it claims to be.
What Closing the Gap Requires
The Valimail and EasyDMARC data together describe a consistent pattern: organizations adopt DMARC to meet a compliance requirement, stop at p=none, and do not progress because enforcement feels uncertain. The uncertainty is almost always the same: concern that some legitimate sending source is not properly authenticated, and that moving to enforcement will block real mail.
That concern is not irrational. Large organizations have many sending sources – CRM platforms, marketing automation tools, transactional email providers, customer support systems, financial reporting applications – and each one needs correct SPF and DKIM configuration before a domain can safely move to enforcement.
The path from p=none to p=reject is a process of discovering those sources through aggregate report analysis, verifying each one’s authentication configuration, correcting gaps, and then escalating the policy incrementally. It is not a single configuration change. It is an operational workflow. And for organizations without dedicated email security infrastructure, it is the step that never gets done – leaving the domain permanently in the window that attackers have learned to target.
The gap Valimail’s report describes is measurable, the attacks filling it are accelerating, and the path to closing it is well understood. Excello Mail provides the aggregate report analysis, sending source discovery, and guided policy escalation tools that move organizations from monitoring to enforcement. Sign up for free to Excello Mail and start closing your enforcement gap today.