Incident

DMARC Adoption Statistics — Where the Industry Stands

DMARC adoption accelerated sharply in 2024 following Google and Yahoo's enforcement announcement. But millions of domains still have no DMARC record — and many that do are stuck at p=none indefinitely.

Published

2024 was the year DMARC got real — Google and Yahoo forced the record to exist for bulk senders, and adoption jumped. The gap now is enforcement: most orgs stopped at p=none and never moved to quarantine or reject.

Key statistics

What this means

The easy part happened — adding a DMARC record. The hard part is tightening policy. Most domains added p=none under deadline pressure and never upgraded. Their domains still have no active spoofing protection.

The gap between "has DMARC" and "DMARC is actually enforced" is where most brand spoofing happens.

What to do

Run DNS Preflight on your domain. If DMARC shows p=none and you set it more than 4 weeks ago — it's time to review your aggregate reports and upgrade to p=quarantine.

Analyze DMARC reports

Open DMARC Report Analyzer →
Related: DMARC policy · Blog: p=none problem

FAQ

What percentage of domains have DMARC?

Roughly 5+ million domains as of 2024, representing significant growth after Google and Yahoo's enforcement announcement.

What percentage have p=reject?

Approximately 25% of domains with DMARC have reached p=reject. Most are still at p=none.

Why do most companies stay at p=none?

They set up DMARC under deadline pressure, got the green tick, and moved on without reading reports or upgrading policy.

Is p=none better than no DMARC?

Yes — it satisfies Google/Yahoo requirements and gives you visibility. But it provides zero spoofing protection.

How do I move from p=none to p=reject?

Read your DMARC aggregate reports for 2-4 weeks. Fix alignment failures. Move to p=quarantine. Then p=reject. Use DomainPreflight DMARC Report Analyzer.

← All incidents

Open DomainPreflight →