← All insights · Thu, 02 Jul 2026

The DMARC enforcement gap: 64.6% publish it, only 22.7% enforce it

Most domains that publish DMARC never actually turn it on. Here's the data.

Across 50,000 of the world's most-linked domains, 64.6% publish a DMARC record. Sounds healthy — until you read the policy.

Only 22.7% of all domains are on p=reject. Of the domains that publish DMARC at all, the split is:

p=none is monitoring only: it asks receivers to do nothing. A domain on p=none announces a policy it doesn't enforce — spoofable in practice, even though the record exists. The takeaway for anyone sending or securing email: publishing DMARC is not the same as being protected by DMARC. The path is p=none → p=quarantine → p=reject, and most of the web stops at step one.

Verify a real address → This is aggregate DNS data. To check whether a specific email address exists and is deliverable, use MailTester Ninja — real-time, nothing stored.

Data: MailTester Ninja Email Infrastructure Index — 50,000 domains, snapshot Thu, 02 Jul 2026 08:16:19 GMT. Reuse freely under CC BY 4.0.

FAQ

What does p=none mean in DMARC?

p=none tells receiving mail servers to take no action on messages that fail DMARC — it is monitoring only. The domain is not protected against spoofing until it moves to p=quarantine or p=reject.

What percentage of domains enforce DMARC with p=reject?

In MailTester Ninja's 50,000-domain sample, 22.7% of all domains enforce DMARC with p=reject.

Built & updated automatically by MailTester Ninja — the email verifier that stores nothing. DNS-only, aggregate data, no personal information. · Index · Email checker · Tools · Guides · Insights · JSON API · ✓ Verify emails →