Less than eight percent of top domains implement the toughest DMARC protection
New research from EasyDMARC reveals that just 7.7 percent of the world's top 1.8 million email domains are fully protected against phishing and spoofing, having implemented the most stringent DMARC policy.
While this configuration, known as 'p=reject', actively blocks malicious emails from reaching inboxes, many businesses have only adopted the passive monitoring setting known as 'p=none', which passively monitors inboxes for threats without intercepting them. This means it doesn't block fraudulent emails or provide full visibility into authentication failures.
Mandates from Google, Yahoo, and Microsoft, along with frameworks like PCI DSS v4.0.1, have spurred a rush to adopt DMARC. But in many cases, that adoption stops at passive monitoring.
"There's a growing perception that simply publishing a DMARC record is enough," says EasyDMARC CEO Gerasim Hovhannisyan. "But adoption without enforcement creates a dangerous illusion of security. In reality, most organizations are leaving the door wide open to attacks targeting customers, partners, or even employees."
The report reveals a significant gap between DMARC implementation and effective enforcement, with more than half (52.2 percent) of the domains still lacking even a basic DMARC record. Among those that have implemented DMARC, most fail to apply the enforcement policies or reporting mechanisms needed to make the protocol truly effective.
Countries with strict DMARC mandates, such as the United States, the UK, and the Czech Republic, have seen the biggest reductions in phishing emails reaching inboxes. In the US, for example, the percentage of phishing emails accepted dropped from 68.8 percent in 2023 to just 14.2 percent in 2025. In contrast, countries with voluntary or no guidance, like the Netherlands and Qatar, showed little to no improvement.
Hovhannisyan adds, "Misconfigurations, missing reporting, and passive DMARC policies are like installing a security system without ever turning it on. Phishing remains one of the oldest and most effective forms of cyberattack, and without proper enforcement, organizations are effectively handing attackers the keys to their business. As threats grow more sophisticated and compliance pressures mount, stopping halfway with DMARC enforcement is no longer an option."
You can get the full report from the EasyDMARC site.
Image credit: lightkeeper/depositphotos.com