New data reveals a massive “Enforcement Gap” between record adoption and actual protection, warning that reporting-only policies create a dangerous false sense of security

SAN FRANCISCO, CA / ACCESS Newswire / February 25, 2026 / Valimail, a DigiCert company, and the global leader in Zero Trust email authentication and Domain-based Message Authentication, Reporting, and Conformance (DMARC) today released its 2026 State of DMARC Report, revealing that while DMARC awareness has surged to 78%, actual enforcement has plateaued at just 42 percent. This 36-point gap represents a growing sentiment of organizations that have implemented DMARC to meet basic mailbox provider requirements but remain entirely unprotected against domain spoofing and AI-driven impersonation.

Bridging the Enforcement Gap: Key Findings

The 2026 report defines the Enforcement Gap as the space between technical adoption (having a DMARC record) and security enforcement (setting a policy to “reject” or “quarantine”). This gap represents a massive window of vulnerability for organizations. In 2025 alone, Valimail tracked more than 2.5 billion suspicious emails on behalf of its customers, illustrating the sheer scale of the threats that DMARC is designed to neutralize. Key takeaways from the report include:

The 36-Point Vulnerability: While 78% of domains now have a DMARC record, the 36-point gap between reporting and enforcement proves that compliance does not equal protection.

Enforcement Stagnation: Enforcement saw a 7% increase throughout 2025 (moving from 35% to 42%), suggesting that many organizations “set it and forgot it” at the most basic, non-protective level.

Mandate vs. Maturity: Mailbox provider mandates (from Google, Yahoo, and Microsoft) successfully drove reporting adoption but failed to push organizations toward full enforcement.

The AI Threat Multiplier: The gap is becoming increasingly dangerous as attackers use gen AI to bypass traditional filters. While Secure Email Gateways (SEGs) hunt for malicious links and shady language, AI produces perfectly tailored emails, making it difficult to detect. This means domain-level enforcement is the only reliable way to verify sender identity and block impersonation at the source before it ever reaches the inbox.

BIMI Adoption Lags: Without closing the Enforcement Gap, organizations cannot reach BIMI (Brand Indicators for Message Identification) standards, which remain stalled at a 4% adoption rate.

For security and IT leaders, this report is a critical call to action: treating a reporting-only DMARC policy as “done” creates a false sense of security and leaves domains vulnerable to the new wave of sophisticated, AI-driven attacks. The 36-point gap is not a technical oversight but a failure of management and enforcement.

Industry-Specific DMARC Adoption and Enforcement Trends

Sectors like Online Retail (72.73% at enforcement) and Manufacturing (67.61% at enforcement) have normalized DMARC enforcement, leading the cross-industry average by over 25 percentage points.

Arts and Recreation (31.61%) and Higher Education (33.71%) remain significantly exposed to spoofing and phishing threats, with enforcement lagging far behind.

Regulated industries (Financial Services, 59.18%; Healthcare, 57.42%) are converting reporting into enforcement, yet anything short of a 90% remains a critical vulnerability for institutions within these sectors.

The Information Technology sector (53.05% at enforcement) displays an uneven adoption maturity, with over a quarter of domains (25.81%) still lacking any valid DMARC record.

Valimail Commentary

“For years, the industry’s focus was simply on getting DMARC records in place. And we’ve made great inroads when it comes to DMARC. But reaching enforcement is a critical first step in a modern security journey-not the destination. The Enforcement Gap we see today is where the most damage happens. It’s a ‘purgatory’ state where senders think they’re safe because they’ve checked a compliance box, but they haven’t actually locked the door. In the current threat landscape, a DMARC record without an enforcement policy is just a roadmap to attackers to see exactly where your defenses end,” said Al Iverson, Industry Research and Community Engagement Lead.

“The 36-point Enforcement Gap we’ve identified is a massive wakeup call for the industry. It shows that while mandates have successfully pushed companies to check the ‘reporting’ box, more than half of domains are still stopping short of actual protection. In the age of generative AI, being ‘compliant’ without being ‘enforced’ is like installing a security camera but leaving the front door wide open. If you’re among the 58% still unprotected, you’re not just vulnerable, you’re a primary target. To stay ahead of today’s threats, organizations must close this gap and move to full enforcement,” said Scott Ziegler, Valimail Vice President of Product.

Frequently Asked Questions

What is the Enforcement Gap, and why is it dangerous for a business? The Enforcement Gap is the 36-point disparity between organizations that have published a DMARC record (78%) and those that have actually reached enforcement (42%). This gap exists because many companies implemented DMARC only to meet the minimum “reporting-only” requirements of mailbox providers like Google and Yahoo. While they are technically “compliant” with the mandates, they are still 100% vulnerable to domain spoofing. In an era of AI-driven phishing, staying in this gap creates a false sense of security that attackers are actively exploiting.

Why do domains with DMARC still lack full protection? Many organizations implement a policy to meet minimum compliance for bulk senders (Microsoft, Google, Yahoo) without realizing that this policy does nothing to actually protect the domain against malicious spoofing and false use.

Why didn’t the mailbox providers’ mandate “solve” DMARC? Mandates drove reporting adoption but did not, by themselves, drive full enforcement. Many organizations did the minimum required to keep mail flowing and stopped there.

How does DMARC help against AI-driven attacks? DMARC provides a foundational defense by ensuring that no matter how sophisticated an AI-crafted malicious message is, if it attempts to spoof your domain, a strong DMARC policy will reject the unauthenticated attempt before it reaches the inbox.

Which industries are actually enforcing DMARC, not just starting it? Manufacturing, online retail, financial services, and healthcare lead the market in converting reporting into enforcement-yet even in these top sectors, nearly 30% of organizations remain unprotected and vulnerable to impersonation.

Why are so many domains still vulnerable despite years of awareness? Because DMARC policies are public in the DNS, these vulnerabilities are easy for attackers to identify and exploit. The 20-30% of domains without enforcement in every industry represent a visible attack surface, increasing risk for every organization that delays protection.

About Valimail

Valimail, a DigiCert company, is the global leader in Zero Trust email authentication and invented hosted DMARC in 2015 and DMARC-as-a-service in 2021. In use by more than 100,000 companies globally, the company’s full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance. From neighborhood shops to the world’s largest brands, many organizations use these solutions to secure their emails. Valimail holds the most robust portfolio of 20 patents that unlock DMARC for businesses at scale and is the only DMARC solution to earn FedRAMP authorization. Valimail employees Chair and co-Chair many critical ecosystem bodies, such as the IETF DMARC Working Group, and the AuthIndicators Working Group developing BIMI. The premier DMARC partner for Microsoft 365 environments, Valimail also holds leadership positions on every key industry standards body, driving today’s email authentication policies and tomorrow’s cybersecurity advancements for everyone. For more information, please visit http://www.valimail.com.

Media Contact

Escalate PR for Valimail[email protected]

###

SOURCE: Valimail