DMARC adoption & enforcement 2026

According to Live Direct Marketing's daily Tranco top-1M scan (July 13, 2026), 457,412 domains publish a DMARC record — but only 46.93% of them actually enforce it with p=quarantine or p=reject. The rest publish p=none, which monitors but blocks nothing.

Key facts

DMARC is the policy layer that ties SPF and DKIM together and tells receiving servers what to do when a message fails authentication. It is the single most important defense against exact-domain spoofing — and across the top 1M, its adoption tells a frustrating story: publishing is common, but enforcement is not.

The gap is the headline. A large share of domains publish a DMARC record, yet many of those records say p=none — monitor only, take no action. A record at p=none produces reports but blocks nothing, so the domain remains fully spoofable. Real protection begins only at p=quarantine and p=reject.

Stacked bar chart of the DMARC policy split across the Tranco top 1 million: most domains publish DMARC but only about half enforce it with p=quarantine or p=reject.
DMARC policy split — publication versus enforcement across the Tranco top-1M (updated daily).
Funnel bar chart showing how many Tranco top-1M domains publish MX, then SPF, then DMARC, then actually enforce DMARC — a steep drop-off at each stage.
Email-authentication funnel: MX → SPF → DMARC → enforcement across the Tranco top-1M (updated daily).

Policy split

PolicyDomainsShare of DMARC
p=reject112,61124.6%
p=quarantine114,65325.1%
p=none234,76551.3%
p=invalid2030.0%

DMARC by country (top 15)

CountryDMARC domains
DE15,544
RU13,996
UK10,929
BR10,822
JP9,179
NL6,579
FR6,517
IT6,398
IN5,908
PL5,754
AU5,699
IO5,339
CO3,724
CA3,658
ES3,467

DMARC by TLD (top 15)

TLDDMARC domains
.com200,756
.org20,901
.net17,248
.de15,544
.ru13,996
.uk10,929
.br10,822
.jp9,179
.nl6,579
.fr6,517
.it6,398
.in5,908
.pl5,754
.au5,699
.io5,339

From p=none to enforcement, safely

The reason so many domains stall at p=none is fear of blocking legitimate mail — and that fear is rational if you have not first inventoried your senders. The correct path is: publish p=none, read the aggregate reports until every legitimate source is SPF-aligned and DKIM-signed, then raise the policy to quarantine and finally reject. The country and TLD breakdowns below show where enforcement is ahead and where whole regions still leave their domains exposed.

Why enforcement, not publication, is the metric that matters

Counting domains that publish DMARC overstates real-world protection, because a monitoring record offers none. The honest metric is the enforcement rate — the share of DMARC domains at quarantine or reject — which is why it is the number we lead with and track over time.

Are your emails landing in spam?
Run a free inbox-placement test across Gmail, Outlook, Yahoo and more — see exactly where your mail lands and why.
Test inbox placement →

Frequently asked questions

What percent of domains enforce DMARC?

46.93% of DMARC-publishing domains in the Tranco top-1M enforce their policy (p=quarantine or p=reject) as of July 13, 2026; the rest use p=none.

How many top websites publish DMARC at all?

457,412 of the 658,711 top-1M domains with MX records publish a DMARC record (2026-07-13).

Does p=none protect against spoofing?

No. p=none only requests monitoring reports; it instructs receivers to take no action on failing mail, so the domain remains spoofable until the policy is raised to quarantine or reject.