Valimail 2026 Report: Email Protection Stalls as AI-Powered Impersonation Reaches Record Highs
-
Eleven men lured into Russia war returned to South Africa
-
Brazil politicians convicted for ordering murder of black activist councilor
-
Ex-US Treasury chief Summers quits Harvard over Epstein ties
-
Modi says India stands 'firmly' with Israel during visit
-
New Zealand knock sorry Sri Lanka out of T20 World Cup
-
Berlinale meet called over film director's anti-Israel speech
-
Van der Poel to make season bow at Omloop Het Nieuwsblad
-
Maria Grazia Chiuri's Fendi homecoming feted in Milan
-
Norway's King Harald to stay in hospital to treat infection: doctor
-
Mbappe season on ice ahead of silverware sprint, World Cup
-
New Zealand produce late flurry to reach 168-7 against Sri Lanka
-
France appoints new Louvre chief after jewellery heist
-
No Ahmedabad advantage for South Africa against West Indies: Maharaj
-
Scotland fans skirt World Cup rules for kilt bags
-
18 Egyptians missing after deadly boat capsize near Greece
-
Stock markets strike record highs as AI concerns ease
-
Hong Kong finance chief tips up to 3.5% growth this year
-
Arctic underdogs Bodo/Glimt topple Champions League giants in 'fairytale'
-
Bill Gates admits affairs but denies involvement in Epstein crimes
-
Hope fades in search for missing after deadly Brazil rains
-
Germany's Merz meets Xi, announces Chinese Airbus order
-
Hakimi, set to face trial for rape, in PSG Champions League matchday squad
-
Man Utd financial results show profit increase after job cuts
-
Guinness maker Diageo cuts outlook on weak US, China demand
-
Swiss-EU deals package to be signed next week
-
Ice melt threatens emperor penguins during annual moult: researchers
-
Pope lines up trips to Central Africa, Algeria, Spain, Monaco
-
Stock markets hit record highs on easing AI concerns
-
Samson in India's mix for high-stakes clash against Zimbabwe
-
Turkey's Erdogan dismisses secular critics of Ramadan school plan
-
Ferguson inspiring Hearts' bid for Scottish title history
-
Snoop Dogg's Swansea party showcases Championship glow-up
-
France appoints new president at Louvre after jewellery heist
-
Germany's Merz meets Xi in China, seeking closer ties
-
Aston Martin slashes staff as US tariffs hit carmakers
-
Chief executive of 2030 Olympic Games becomes latest director to quit
-
Rubio meets Caribbean leaders as US raises pressure on Cuba
-
Head of France's Versailles Palace to take over Louvre: source to AFP
-
England's Brook gains redemption after 'hardest winter of my life'
-
Iran dismisses missile, nuclear claims after Trump alleges 'sinister ambitions'
-
Inside the Mexican resort that was the final hideout of 'El Mencho'
-
Somaliland pins hopes on critical mineral gold rush
-
Bejart Ballet's iconic Bolero ignites Istanbul
-
Sri Lanka arrests ex-spy chief over 2019 Easter bombings
-
South Korea birth rate jumps but still under key fertility threshold
-
Democrats bet on centrism in rebuttal to Trump speech
-
Australian police arrest two over alleged kidnapping, murder of grandfather
-
Redknapp's Gold Cup dream sparked by late grandmother
-
Trump tries to reset presidency in State of the Union speech
-
Harden hails 'special' Cavs after emphatic win over Knicks
Valimail 2026 Report: Email Protection Stalls as AI-Powered Impersonation Reaches Record Highs
New data reveals a massive "Enforcement Gap" between record adoption and actual protection, warning that reporting-only policies create a dangerous false sense of security
SAN FRANCISCO, CA / ACCESS Newswire / February 25, 2026 / Valimail, a DigiCert company, and the global leader in Zero Trust email authentication and Domain-based Message Authentication, Reporting, and Conformance (DMARC) today released its 2026 State of DMARC Report, revealing that while DMARC awareness has surged to 78%, actual enforcement has plateaued at just 42 percent. This 36-point gap represents a growing sentiment of organizations that have implemented DMARC to meet basic mailbox provider requirements but remain entirely unprotected against domain spoofing and AI-driven impersonation.
Bridging the Enforcement Gap: Key Findings
The 2026 report defines the Enforcement Gap as the space between technical adoption (having a DMARC record) and security enforcement (setting a policy to "reject" or "quarantine"). This gap represents a massive window of vulnerability for organizations. In 2025 alone, Valimail tracked more than 2.5 billion suspicious emails on behalf of its customers, illustrating the sheer scale of the threats that DMARC is designed to neutralize. Key takeaways from the report include:
The 36-Point Vulnerability: While 78% of domains now have a DMARC record, the 36-point gap between reporting and enforcement proves that compliance does not equal protection.
Enforcement Stagnation: Enforcement saw a 7% increase throughout 2025 (moving from 35% to 42%), suggesting that many organizations "set it and forgot it" at the most basic, non-protective level.
Mandate vs. Maturity: Mailbox provider mandates (from Google, Yahoo, and Microsoft) successfully drove reporting adoption but failed to push organizations toward full enforcement.
The AI Threat Multiplier: The gap is becoming increasingly dangerous as attackers use gen AI to bypass traditional filters. While Secure Email Gateways (SEGs) hunt for malicious links and shady language, AI produces perfectly tailored emails, making it difficult to detect. This means domain-level enforcement is the only reliable way to verify sender identity and block impersonation at the source before it ever reaches the inbox.
BIMI Adoption Lags: Without closing the Enforcement Gap, organizations cannot reach BIMI (Brand Indicators for Message Identification) standards, which remain stalled at a 4% adoption rate.
For security and IT leaders, this report is a critical call to action: treating a reporting-only DMARC policy as "done" creates a false sense of security and leaves domains vulnerable to the new wave of sophisticated, AI-driven attacks. The 36-point gap is not a technical oversight but a failure of management and enforcement.
Industry-Specific DMARC Adoption and Enforcement Trends
Sectors like Online Retail (72.73% at enforcement) and Manufacturing (67.61% at enforcement) have normalized DMARC enforcement, leading the cross-industry average by over 25 percentage points.
Arts and Recreation (31.61%) and Higher Education (33.71%) remain significantly exposed to spoofing and phishing threats, with enforcement lagging far behind.
Regulated industries (Financial Services, 59.18%; Healthcare, 57.42%) are converting reporting into enforcement, yet anything short of a 90% remains a critical vulnerability for institutions within these sectors.
The Information Technology sector (53.05% at enforcement) displays an uneven adoption maturity, with over a quarter of domains (25.81%) still lacking any valid DMARC record.
Valimail Commentary
"For years, the industry's focus was simply on getting DMARC records in place. And we've made great inroads when it comes to DMARC. But reaching enforcement is a critical first step in a modern security journey-not the destination. The Enforcement Gap we see today is where the most damage happens. It's a 'purgatory' state where senders think they're safe because they've checked a compliance box, but they haven't actually locked the door. In the current threat landscape, a DMARC record without an enforcement policy is just a roadmap to attackers to see exactly where your defenses end," said Al Iverson, Industry Research and Community Engagement Lead.
"The 36-point Enforcement Gap we've identified is a massive wakeup call for the industry. It shows that while mandates have successfully pushed companies to check the 'reporting' box, more than half of domains are still stopping short of actual protection. In the age of generative AI, being 'compliant' without being 'enforced' is like installing a security camera but leaving the front door wide open. If you're among the 58% still unprotected, you're not just vulnerable, you're a primary target. To stay ahead of today's threats, organizations must close this gap and move to full enforcement," said Scott Ziegler, Valimail Vice President of Product.
Frequently Asked Questions
What is the Enforcement Gap, and why is it dangerous for a business? The Enforcement Gap is the 36-point disparity between organizations that have published a DMARC record (78%) and those that have actually reached enforcement (42%). This gap exists because many companies implemented DMARC only to meet the minimum "reporting-only" requirements of mailbox providers like Google and Yahoo. While they are technically "compliant" with the mandates, they are still 100% vulnerable to domain spoofing. In an era of AI-driven phishing, staying in this gap creates a false sense of security that attackers are actively exploiting.
Why do domains with DMARC still lack full protection? Many organizations implement a policy to meet minimum compliance for bulk senders (Microsoft, Google, Yahoo) without realizing that this policy does nothing to actually protect the domain against malicious spoofing and false use.
Why didn't the mailbox providers' mandate "solve" DMARC? Mandates drove reporting adoption but did not, by themselves, drive full enforcement. Many organizations did the minimum required to keep mail flowing and stopped there.
How does DMARC help against AI-driven attacks? DMARC provides a foundational defense by ensuring that no matter how sophisticated an AI-crafted malicious message is, if it attempts to spoof your domain, a strong DMARC policy will reject the unauthenticated attempt before it reaches the inbox.
Which industries are actually enforcing DMARC, not just starting it? Manufacturing, online retail, financial services, and healthcare lead the market in converting reporting into enforcement-yet even in these top sectors, nearly 30% of organizations remain unprotected and vulnerable to impersonation.
Why are so many domains still vulnerable despite years of awareness? Because DMARC policies are public in the DNS, these vulnerabilities are easy for attackers to identify and exploit. The 20-30% of domains without enforcement in every industry represent a visible attack surface, increasing risk for every organization that delays protection.
About Valimail
Valimail, a DigiCert company, is the global leader in Zero Trust email authentication and invented hosted DMARC in 2015 and DMARC-as-a-service in 2021. In use by more than 100,000 companies globally, the company's full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance. From neighborhood shops to the world's largest brands, many organizations use these solutions to secure their emails. Valimail holds the most robust portfolio of 20 patents that unlock DMARC for businesses at scale and is the only DMARC solution to earn FedRAMP authorization. Valimail employees Chair and co-Chair many critical ecosystem bodies, such as the IETF DMARC Working Group, and the AuthIndicators Working Group developing BIMI. The premier DMARC partner for Microsoft 365 environments, Valimail also holds leadership positions on every key industry standards body, driving today's email authentication policies and tomorrow's cybersecurity advancements for everyone. For more information, please visit www.valimail.com.
Media Contact
Escalate PR for Valimail
[email protected]
###
SOURCE: Valimail
View the original press release on ACCESS Newswire
P.Silva--AMWN
