There’s a common misconception: If organizations don’t use their domain to send email, they think DMARC is unnecessary.
That couldn’t be farther from the truth.
Imagine you don’t drive your car. You want to let everybody know that you don’t drive it, so if they see it around town, they know it’s not you - and something’s amiss. Fortra recently surveyed the top 10 million domains on the internet to find out how many are using DMARC (and how many are at risk).
In this blog, we’ll extend the car analogy across the DMARC scope to illustrate what DMARC is, why it’s important, and why there are few - if any - exceptions.
Baby, You Can’t Drive My Car
DMARC is a policy that sits over the top of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) and states that “if unauthorized people drive my car (domain), here’s what I want you to do.” SPF and DKIM lay out how to determine if someone is a legitimate driver (user).
SPF: A list of those allowed to drive the car (or use your domain), much like you would have them listed on your insurance.
DKIM: Acts as a permission slip from the domain owner (you) to those driving. If they get pulled over, they pull out the slip signed by you and they’re good to go.
DMARC comes into play when the police pull someone over for using your car (domain) and they fail to pass either SPF or DKIM. What happens then?
What Happens When You Get Pulled Over?
There are several options, and they are all in use among the top 10 million domains on the internet. Though not all in the proportions we would like to see. DMARC policies can state that the illegitimate driver can:
Be waved on. Send them on their way, there’s no consequence for driving my vehicle without permission! This is the equivalent of a “+All,” which we’ll get to later.
Be pulled over. Have them pull off to the side and walk the rest of the way. This is like saying, “run the message through your email scanners, see if you pick up anything. If not, we’ll just let them go, this isn’t a big issue.”
Have the car impounded. The safest route. If someone is driving my car (domain) without permission, stop them in their tracks and quarantine the message or block it outright—every time. In other words, impound the vehicle.
In our survey, we discovered how many people adhere to which line of DMARC reasoning. The results can be found in full in The State of Email Trust: Global DMARC Adoption Trends in Q2 2025.
Here are the highlights.
How Many Are Using DMARC, DKIM, and SPF?
Unfortunately, not as many as we’d like to see. But the numbers are great for attackers.
DMARC
According to our Q2 research, Fortra discovered that (out of 10 million domains):
Only 18% (less than 1 in 5) had a DMARC record
Of that 18%, more than half (58%) had a policy of “p=none.” That essentially means that if it fails DKIM and SPF authentication, just run it through the spam filters, but it’s not guaranteed to get stopped – just sort of checked.
The good news is that at least 42% (of that 18%) had a “quarantine or reject” policy. That means don’t ask questions; if it fails DKIM and/or SPF, send it to the Spam Folder or block it entirely. Shoot first, ask questions later. It’s a way not to take chances with your valuable domain.
And why shouldn’t we? Because our domains house our brand reputations. You don’t want someone running around, especially if you don’t even send emails in the first place. If you ever decide to, they could ruin your chance because they’ve racked up so many “tickets” on your previously spotless record.
And if you decide not to, outsiders still don’t know that you never sent email in the first place, and they won’t care: any email they’ve ever gotten from “you” will have been spam or a phish, so you’ve fallen in their good graces.
SPF below 40%
Let’s drill down into the nuts and bolts of authentication. How many of the top 10 million internet domains had basic SPF and DKIM in place?
Only 36.7% had a valid SPF record. 61.9% had no record whatsoever, and 1.4% had one but with so many errors that it could have been rendered useless.
Almost half (4,479) of that 36.7% had a “+All” policy. This means there are essentially no consequences for senders that didn’t pass SPF authentication - anyone can drive my car.
This allows attackers to run around with your domain and send malicious emails. There are no repercussions. What's even more frightening? We discovered several high-profile entities, such as government agencies and software distributors, with one of these 'allow all' policies currently in place.
The Take Home
Despite DKIM being around since 2012 (and being the widely accepted industry protocol), Fortra discovered that:
Only 7.6% of the top 10 million domains had a firm DMARC policy
But why not? It’s free, it’s a publicly available standard, and it costs nothing but your time. And there may be the rub. Many companies are lacking the time or expertise to implement DMARC correctly. That’s why they turn to third parties.
Third Parties for the DMARC Implementation Win
Sometimes, setting up those policies can be difficult, and so many things can go wrong. That’s why we’re seeing people lean on third-party vendors to implement their DMARC policies for them, and it’s working.
Of those that relied on third parties to get their DMARC policies configured correctly:
Up to 73% got to “quarantine or reject.” This means that their policies put bad drivers in time-out instead of letting them walk free.
Of those that did not:
Only 23% got to “quarantine or reject.”
Why are people failing to get that far with their own DMARC configurations? A few reasons.
They are afraid their messages will get missed. Think marketing and other customer reach-outs. This is a risk, but having a few people off the distro list has small consequences compared to having a rogue cybercriminal make off with your domain and send nefarious messages in your name.
Additionally, that is what the DKIM and SPF feedback loop is for. When things get blocked, those results automatically get reported back to the DMARC owner or authorized representative so they can tweak the rules in the future. That way, they’ll get better at letting the “good guys” in and keeping the “bad guys” out.
DMARC is hard to do. There are, again, many ways to go wrong when setting up your DMARC, DKIM, and SPF policies. For example:
Forgetting to put the “mail to:” in front of reporting addresses. It’s small, but it matters.
Putting the p-tag in the wrong place. Every DMARC starts with “V=DMARC1:” and is followed directly by “p=[tag].” Put it anywhere else, and the policy is wrong.
A good third-party vendor can help with DMARC implementation. Many people don’t trust the job to anyone else but a trained DMARC professional. With the right vendor in place, you can be sure that the policies you think you are implementing are actually getting implemented correctly, and that you’re protected when you think you are.
If nothing else, it’s good to have a double set of expert eyes behind you checking your work. As the numbers have shown, the right DMARC implementation vendor can get you better results than your efforts alone, sending more suspicious emails to the reject category by a factor of three.
Cybersecurity for Your Industry
See how Fortra DMARC Protection simplifies DMARC implementation, monitoring, and management.
