DMARC Adoption: A Deep Dive into the Current State of Email Authentication

Last year, Gmail and Yahoo raised the bar for email authentication by requiring sending domains to have a valid DMARC record in place. This change left many marketers scrambling to implement DMARC. 

But simply having a DMARC record wasn’t—and isn’t—enough. These DMARC records need to be well-formed and properly configured. To help you navigate the world of DMARC, let’s explore common mistakes and highlight some best practices. 

DMARC: The email guardian 

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a critical email authentication protocol. 

It builds upon existing authentication methods, SPF and DKIM, and empowers domain owners to suggest how email providers handle messages that fail authentication. This helps protect brands from spoofing attempts, where unauthorized senders try to use their domain to send emails.    

Think of it as a verification system for your “From” address. DMARC helps ensure that the sender you see in your inbox is the real deal, not some imposter trying to phish for your information or spread spam. 

I kept it short here, but for more detailed information on DMARC, check out the Validity blog and Help Center. 

Overall DMARC adoption 

So, what’s the current state of DMARC adoption? Well, the results are a bit surprising. It turns out that a whopping 84 percent of domains and subdomains used in email “From” addresses don’t have a published DMARC record.     

Of those that do have something published, 7.64 percent have invalid records. Only about eight percent have a valid DMARC record in place. That means roughly 16 percent have at least attempted to implement DMARC, but there’s clearly a lot of room for improvement.   

This data aligns with similar studies, indicating that DMARC adoption still has a long way to go. But don’t worry; we’ll explore the reasons behind this trend and guide you on the right path. 

 A TLD breakdown 

Let’s break down DMARC adoption by Top-Level Domains, or TLDs. TLDs are basically everything that follows the final dot of a domain name and indicates the website’s category or purpose. 

As you might expect, .com is the most popular TLD choice, representing nearly 29 percent of the domains in our study. However, a staggering 75 percent of .com domains lack a DMARC record.    

The also-popular .net and .org options trail close behind in popularity but show even lower DMARC adoption rates, with over 95 percent missing a record. It seems there’s a lot of work to be done across the board.    

But it’s not all doom and gloom. Some TLDs are shining examples of DMARC adoption: 

• Japan (.jp): 26 percent have a valid DMARC record.    
• United Kingdom (.uk): Nearly 40 percent have a valid record.    
• Australia (.au) and France (.fr): Both boast 37 percent with valid records.    
• Brazil (.com.br): An impressive 49 percent have a valid DMARC record.    

These results highlight the global variation in DMARC adoption. While some countries are embracing DMARC, others are still struggling. 

DMARC adoption by Top-Level Domains 

DMARC policies: Taking a stand (or not) 

Now, let’s look at the type of DMARC policies senders use today.  

As a quick refresher, a DMARC policy tells mailbox providers what to do with emails that fail authentication. The most common policy? “None.” A whopping 68 percent of domains with valid DMARC records use this policy.   

This essentially means these senders are letting mailbox providers decide what to do with unauthenticated messages. While mailbox providers use various methods to filter emails, DMARC provides an extra layer of authentication, allowing you to specify how they should handle messages that fail authentication checks. This helps protect your reputation and ensures your legitimate emails reach your audience. 

While p=none is the minimum requirement for a valid DMARC record, Validity advises senders to adopt one of these stricter policies: 

• Quarantine: This tells mailbox providers to treat suspicious emails with caution, perhaps sending them to the spam folder.  
• Reject: This instructs mailbox providers to outright reject emails that fail authentication.  

While p=none is a starting point, mailbox providers like Gmail and Yahoo are moving towards stricter DMARC policies like ‘reject’ to combat spoofing and phishing. Even spammers exploit ‘none,’ so upgrade your policy today to ensure your emails reach your audience and protect your brand.  

DMARC fails: When records go rogue 

Not all DMARC records are created equal. Some might get set up incorrectly and fail when being validated by the server receiving the message. In fact, nearly 7.6 percent of the domains in the study were invalid.  

What makes a DMARC record invalid? The most common culprit is a missing or incorrect “v=DMARC1” tag, which happens to about 94 percent of all invalid DMARC records. This tag is essential for identifying the record as a DMARC record. Without it, mailbox providers won’t recognize it. 

If the sender uses a subdomain, the DMARC parser will query the level above for a dmarc.[domain] record, all the way up to the organization domain level. Subdomain inheritance capability is a feature added to DMARC by design; I drew a line in the sand and didn’t explore that in this study. 

The other frequent error is publishing multiple DMARC records for the same domain. We saw this in about five percent of the records evaluated. Mailbox providers don’t even handle this and elect to fail the DMARC validation. DMARC RFC (RFC 7489) explicitly states that if the “from” domain name  “…contains multiple records or no records, policy discovery terminates and DMARC processing is not applied to this message.”  

Other issues were evident in less than 1.2 percent of invalid records, where we see that DMARC validation fails due to missing essential tags like “p=” (policy) or “rua=” (reporting address). These tags provide crucial instructions to mailbox providers on handling authentication failures and receiving reports.  

The good news is that these errors are easily avoidable. By following best practices and using available tools like Validity Everest, you can ensure your DMARC record is valid and effective.   

What’s next? 

Yahoo and Google requiring a valid DMARC record was a significant step towards stronger email security. While they aren’t yet enforcing full DMARC compliance with p=reject policies, Google has signaled its intent to take DMARC more seriously by introducing a new SMTP response code, 550 5.7.26, specifically for DMARC failures. 

Indeed, whispers across the email industry suggest a shift towards stricter DMARC policies in the future. This would pressure senders to not only publish a DMARC record but also ensure their SPF and DKIM are perfectly aligned and enforced, helping mailbox providers protect their users from unauthenticated messages.

Most emails are sent by brands that have an email sending platform—they don’t usually set up a local SMTP server like in the 70’s. Email sending platforms will need to step up their game! They’ll need to make it easier for clients to authenticate with proper alignment and publish DMARC records with full enforcement by default—no more p=none! 

In the same vein as DMARC and email security, efforts to boost brand visibility and trust are also taking center stage with BIMI (Brand Indicators for Message Identification).

BIMI allows marketers to stand out in Gmail and Apple’s inboxes by displaying their logo in emails. However, to achieve this, brands are required to get a VMC (Verified Mark Certificate). These aren’t isn’t just issued to anyone—there is a process that has been designed to ensure that only the rightful owner of the brand’s logo is the one getting the certificate. Did I mention that you also get a checkmark next to your sender information to signal to readers that you’re the real deal? Nothing says “trust me” more than that! 

More recently Google announced the support of a CMC (Common Mark Certificate) for BIMI in Gmail, giving logo visibility in the inbox for companies that don’t yet have a registered trademark (no checkmark, unfortunately). But BIMI also works without a fancy certificate assertion (also known as self-asserted) at Yahoo, Fastmail, and others. 

Everest: Your Sherpa for the DMARC summit  

Now, for the shameless plug. But hey, if you’re going to climb Mount DMARC, you need the right gear, right?  

That’s where Validity Everest comes in. It’s your base camp, your guide, and your Sherpa for all things DMARC.  

Think of it as your email surveillance system. Everest reports on all sources sending emails on behalf of your domain and whether they pass SPF and DKIM authentication. Everest will even show you the IPs sending messages and flag any that fail your SPF records.  

But the real magic happens with continuous monitoring. Everest not only gives you visibility of your authenticated email infrastructure, it also highlights the reasons for failures, like automatic forwards or even spoofing attempts.  

 Start with a “policy=none,” gain valuable insights into your sending infrastructure, and then confidently move to stricter policies like “quarantine” or “reject.” 

This analysis should provide a valuable snapshot of DMARC adoption today, and I plan to continue this research to track sender evolution over time, alongside exploring other authentication protocols like BIMI. I hope you’ll return to see the results and be sure to check out Everest for your DMARC and email deliverability needs. 

Methodology: How we wrangled millions of domains 

Our analysis uses data from Validity’s spam trap network, which provides a snapshot of real-world email traffic. In November 2024 alone, the sample used identified over 22 million unique domains and subdomains used in the “From” address of emails.  

Now, querying DNS records for millions of domains isn’t a walk in the park. It takes time and resources. Initially, I was using a single computer, to speed things up, I enlisted the help of multiple computers. This allowed me to efficiently gather DMARC records and analyze their validity.    

It’s important to note that I didn’t delve into subdomain inheritance for this analysis, which means that I would have to make multiple DNS queries until reaching the domain level. That’s a whole other can of worms we can explore another time. However, I did rigorously check the structure of each DMARC record, just like a real mailbox provider would. This gives us a realistic view of DMARC deployment in the wild.