Only 1 in 10 Domains Enforce DMARC in 2025

Why Email Spoofing Still Works

Standard-Version
Simplified-Version

Email has been around for decades, and so have email attacks. DMARC was supposed to be the answer. First published in 2012, it gives domain owners a way to tell mail servers: “If this message didn’t come from me, don’t deliver it.” Simple idea, big impact. At least, that’s the theory.

In practice? The internet has mostly ignored it. Despite years of awareness campaigns, conferences, and security incidents pointing to the need for email authentication, the numbers show that most of the online world remains exposed.

According to Fortra/Agari’s latest 2025 analysis of the world’s 10 million most popular domains, more than 81 percent have no DMARC record at all. Another 10 percent only run in “monitoring” mode (p=none), which allows them to collect reports but doesn’t actually block anything. That leaves only 7.6 percent of domains with any form of enforcement, and just 3.9 percent with the strictest protection (p=reject) across all subdomains. Put bluntly: 9 out of 10 domains worldwide are still open to spoofing.

Why Has Adoption Stalled?

It’s worth asking: why is email still the weakest link? DMARC has been available for over a decade, the specification is stable, and most modern mail providers support it. Yet adoption remains painfully slow. Fear of disruption is the biggest factor. Organizations worry that enforcing DMARC will block legitimate traffic — newsletters, CRM platforms, invoicing systems, or any third-party service that sends on their behalf. Without proper visibility, that fear feels justified. Nobody wants to be the admin who “broke email.”

The second factor is lack of expertise. SPF, DKIM, and DMARC are DNS-based technologies that require careful alignment, and many companies simply don’t have in-house staff who are comfortable making those changes. Misconfigurations are common, and security teams often push email down the priority list compared to “sexier” threats like endpoint compromise or ransomware.

But the irony is that most ransomware attacks and breaches start with email. Phishing remains the number one attack vector. In 2025, that reality hasn’t changed.

Regional and Industry Disparities

Global averages hide important differences. EasyDMARC’s 2025 report shows that among 1.8 million high-profile email domains, adoption has nearly doubled in just two years — from 27.2 percent in 2023 to 47.7 percent in 2025. That’s a promising sign, but even within this more mature group, strict enforcement remains rare. Only 7.7 percent of domains have moved all the way to p=reject.

This pattern repeats across industries. Large financial institutions and governments are further along because regulation pushes them forward. Smaller businesses and non-profits lag behind, often because they don’t have the resources or knowledge. Unfortunately, attackers don’t discriminate — spoofing a small supplier can be just as damaging as spoofing a bank when the goal is to trick victims into clicking a link or paying an invoice.

How Hard Is It to Fix?

The good news: fixing an organization’s email authentication posture is not as complex as it may seem. If you already know who your legitimate senders are, the journey to enforcement can be measured in weeks, not years. For a small to mid-sized company, one to three months is a realistic timeline. Larger enterprises may take longer due to sprawling infrastructures and third-party dependencies, but the steps remain the same:

  1. Publish SPF and DKIM records correctly for all domains and subdomains.

  2. Add a DMARC record at p=none to begin collecting aggregate reports.

  3. Monitor those reports to identify all legitimate senders.

  4. Gradually tighten the policy — moving to quarantine for partial enforcement, and eventually reject for full protection.

There are free and commercial tools that make this easier, from DMARC report visualizers to automated policy advisors. The path is clear, but it requires commitment.

Why It Matters in 2025

What makes the current adoption gap troubling is that email authentication is no longer just a “security best practice.” It is becoming a business necessity. Google and Yahoo’s new sender requirements, introduced in 2024, mandate proper authentication for bulk mail. Domains that fail to comply risk being filtered, throttled, or outright blocked. That means poor DMARC posture doesn’t just expose you to spoofing — it can also undermine your ability to reach customers at all.

In other words: ignoring DMARC is both a security risk and a deliverability risk. It damages brand reputation, erodes customer trust, and in some cases, breaks communication entirely.

The Bottom Line

The data from 2025 shows progress compared to five years ago, but not nearly enough. More domains are publishing DMARC, but too few are enforcing it. Attackers exploit that gap every single day. Until organizations move past monitoring into real enforcement, phishing will remain cheap, scalable, and effective.

The frustrating part? The solution already exists. It’s free, it’s mature, and it works. What’s missing is the decision to use it. Email may be decades old, but securing it doesn’t need to take decades more.

Email is still the main way cybercriminals trick people, and the fix, DMARC, has been around for more than 10 years. Yet in 2025, the vast majority of domains still don’t use it properly.

Recent research shows that over 80% of domains have no DMARC at all, and of those that do, only about 1 in 10 actually enforce it. In other words, if you own a domain, chances are high that someone could impersonate it today without much effort.

Why so little adoption? Fear and hesitation. Companies worry that switching on DMARC will break their email or block legitimate messages sent through services like CRMs and newsletters. Others simply don’t know how to set it up, or they leave it in “monitoring mode” forever.

But the truth is: DMARC is not hard to fix. For a small or mid-sized company, it can usually be solved in a few weeks. The steps are straightforward:

  • Make sure SPF and DKIM are in place.

  • Add a DMARC record in p=none mode to see who’s sending on your behalf.

  • Tighten the policy step by step until you reach full enforcement (p=reject).

So why does this matter? Because without DMARC, attackers can send fake invoices, fake supplier emails, or even fake messages to your customers that look completely real. On top of that, Google and Yahoo now require DMARC for bulk mail. Skip it, and your emails may not even reach the inbox.

The bottom line: phishing works because domains leave the door open. The good news is the door can be closed. DMARC is free, effective, and proven — it just takes the decision to enforce it.

Need expert help configuring your environment?

Get Started
Picture of Albert Abdul-Vakhed

Albert Abdul-Vakhed

Founder of Hostgard. When he’s not obsessing over server performance and digital security, he’s probably writing blog posts like this one to help creators build smarter, faster, and reliable websites.

Recent Posts

Follow Us

About the Simplified Version

This blog includes a Simplified Version to support readers who prefer:

  • Shorter paragraphs

  • Bullet points and summaries

  • A quicker, easier reading experience

Whether you’re short on time, feeling mentally tired, or just prefer a more direct format — this version is here to help.

Because good information should be easy for everyone to access.