← All insights · Thu, 02 Jul 2026
Most domains that publish DMARC never actually turn it on. Here's the data.
Across 50,000 of the world's most-linked domains, 64.6% publish a DMARC record. Sounds healthy — until you read the policy.
Only 22.7% of all domains are on p=reject. Of the domains that publish DMARC at all, the split is:
p=none — 37.2%p=reject — 35.2%p=quarantine — 27.6%p=none is monitoring only: it asks receivers to do nothing. A domain on p=none announces a policy it doesn't enforce — spoofable in practice, even though the record exists. The takeaway for anyone sending or securing email: publishing DMARC is not the same as being protected by DMARC. The path is p=none → p=quarantine → p=reject, and most of the web stops at step one.
Data: MailTester Ninja Email Infrastructure Index — 50,000 domains, snapshot Thu, 02 Jul 2026 08:16:19 GMT. Reuse freely under CC BY 4.0.
p=none tells receiving mail servers to take no action on messages that fail DMARC — it is monitoring only. The domain is not protected against spoofing until it moves to p=quarantine or p=reject.
In MailTester Ninja's 50,000-domain sample, 22.7% of all domains enforce DMARC with p=reject.