A DMARC record is not the same as DMARC protection. That distinction has been clear to anyone who works in email authentication for years, but EasyDMARC’s 2026 DMARC Adoption and Enforcement Report, drawn from an analysis of 1.8 million domains across the Fortune 500 and Inc. 5000, makes the gap impossible to dismiss. Of the 938,000 domains that have published a DMARC record, only about 9 percent – roughly 159,000 domains – combine an enforcement policy with aggregate reporting. The other 91 percent have a record. They do not have protection.
What the Numbers Actually Show
EasyDMARC analyzed the top 1.8 million domains globally, including every company on the Fortune 500 and Inc. 5000 lists. DMARC adoption overall reached 52.1 percent of that universe, up from 47.7 percent in 2025. The raw count grew from 858,782 DMARC-enabled domains in 2025 to 937,931 in early 2026 – a meaningful increase that reflects the pressure applied by Google’s permanent-rejection policy for bulk senders and Microsoft’s May 2025 enforcement deadline.
The adoption headline looks encouraging. The enforcement detail does not.
Of the 937,931 domains with valid DMARC records, 411,935 have reached an enforcement-level policy (p=quarantine or p=reject). That means 525,996 domains – more than half of those with records – are sitting at p=none, a monitoring policy that generates reports but instructs receiving mail servers to do nothing with messages that fail authentication. A p=none domain is not protected. An attacker who spoofs that domain faces no technical barrier to inbox delivery.
More striking is the reporting gap. Over 70 percent of DMARC-enabled domains globally have not configured an RUA tag – the reporting address that causes receiving mail servers to send aggregate data back to the domain owner. A domain with an enforcement policy but no reporting is flying blind. It is blocking unauthenticated mail but has no mechanism to know which legitimate sending sources it may also be blocking, or to detect whether new attack infrastructure is spoofing the domain with a policy that does not yet cover it.
The true protection benchmark – enforcement policy plus aggregate reporting – is met by approximately 159,691 domains in EasyDMARC’s dataset. That is 9 percent of domains with DMARC records and roughly 4.6 percent of the full 1.8 million domain universe analyzed.
The Fortune 500 vs. Inc. 5000 Divide
The gap looks very different depending on the size and age of the organization.
Among the Fortune 500, 475 of 500 companies – 95 percent – have valid DMARC records. More importantly, 62.7 percent of Fortune 500 companies have reached p=reject, the strongest enforcement level, which instructs all participating mail servers to outright reject any message that fails authentication against the protected domain. These are organizations with dedicated security teams, email operations specialists, and years of investment in infrastructure that makes DMARC enforcement operationally feasible.
Among the Inc. 5000 – America’s fastest-growing private companies, heavily weighted toward mid-market and scaling businesses – the picture is fundamentally different. Adoption is solid at 76.2 percent. Enforcement is not. Only 15.2 percent of Inc. 5000 companies have reached p=reject. More than half remain at p=none, the monitoring-only policy. The four-to-one enforcement ratio between Fortune 500 and Inc. 5000 companies (62.7 percent versus 15.2 percent at p=reject) defines what EasyDMARC calls “the growing divide.”
Why Growth Companies Lag
The enforcement gap between large enterprises and fast-growing companies is not primarily about awareness. Most Inc. 5000 companies that have adopted DMARC understand what enforcement means. The barrier is operational complexity.
A Fortune 500 company likely has a consolidated email program managed by a dedicated team. When that team moves from p=none to p=quarantine, they can systematically work through DMARC aggregate reports, identify every authorized sending source, ensure each is properly aligned for SPF or DKIM, and then advance to p=reject with confidence.
A fast-growing Inc. 5000 company often has the opposite problem. Years of rapid growth typically mean years of SaaS adoption without central oversight. Marketing uses three email service providers. Sales uses an outbound sequencing tool. HR uses a benefits notification platform. IT uses an alerting service. Finance uses a payment notification system. Each of those services sends email from or on behalf of the company domain. Each needs to be authorized in SPF or covered by DKIM before p=reject can be deployed without breaking legitimate mail flow.
EasyDMARC’s data captures this dynamic precisely. Among Inc. 5000 companies with DMARC records, only 67.4 percent have configured RUA aggregate reporting – meaning nearly a third lack the visibility to even understand their current sending landscape before attempting enforcement. You cannot enforce a policy you cannot see.
Who Attackers Target
The enforcement gap is not merely a compliance issue. It is a targeting signal.
Sophisticated business email compromise operations and domain spoofing campaigns routinely check whether a target domain has DMARC enforcement before deciding how to proceed. A domain at p=reject requires the attacker to invest in a lookalike domain (which takes time, costs money, and is more detectable). A domain at p=none can be spoofed directly, at no additional cost, with the message claiming to originate from the exact legitimate domain. For an attacker running a vendor impersonation campaign or targeting a company’s finance department, the WHOIS record and the DMARC policy are two of the first things they look up.
Inc. 5000 companies – growing businesses with expanding revenue, frequent wire transfers, active vendor relationships, and often less mature security postures than their Fortune 500 counterparts – represent exactly the kind of target that benefits from direct domain spoofing. More than 50 percent of them are accessible by that method right now.
The Path from Compliance to Enforcement
EasyDMARC’s report frames 2026 as the industry’s transition from compliance-driven adoption to maturity-driven enforcement. The compliance phase was straightforward: publish a DMARC record to avoid being bounced by Google or Microsoft’s bulk sender requirements. The maturity phase requires something harder: understand who sends email on your behalf, align every legitimate source, and move the policy to a level that actually stops unauthorized mail.
That path has four practical steps.
Start with aggregate reporting configured and a receiving address monitored. A DMARC record with no RUA tag is nearly useless for enforcement planning – it provides no data.
Use the aggregate data to map every sending source. Every IP address and domain appearing in DMARC reports that is not already authorized represents either a gap to fix or a source to eliminate.
Align each legitimate source. For SPF, that means ensuring the sending server’s IP is covered in the sending domain’s SPF record. For DKIM, it means confirming the signing domain matches the From: header domain (or the envelope domain in a relaxed alignment configuration). Third-party email services typically offer documentation for this step; the challenge is knowing every service needs it.
Advance the policy in stages. Move from p=none to p=quarantine first, monitor for any legitimate mail being quarantined, resolve the gaps, and then move to p=reject. The staged approach minimizes the risk of blocking mail that should be delivered.
The reporting infrastructure is not optional. It is the feedback loop that makes enforcement possible.
EasyDMARC’s data draws a clear line: large companies enforce, growing companies monitor, and attackers know the difference. If your DMARC record sits at p=none, your domain is still available for spoofing. Sign up free to Excello Mail to get the monitoring, alignment tools, and policy management that turn a DMARC record into actual protection.