Valimail 2026 Report: Email Protection Stalls as AI-Powered Impersonation Reaches Record Highs
-
The vaccines and treatments being developed for Ebola outbreak
-
Spanish king to visit Mexican president on June 25 as ties improve
-
Ton-up Phillips stars for New Zealand against England
-
Wahi denied Canadian visa for Ivory Coast World Cup clash with Germany
-
Swiss central bank holds interest rates, with eye on currency risks
-
S.African sentenced in 'world's largest' rhino trafficking case
-
Bank of England follows Fed in holding interest rate
-
Bittersweet World Cup for Gaza's football fans
-
Trump defends Iran deal from critics he calls 'fools'
-
New heatwave disrupts trains, schools in France
-
German chemical company to cut 3,200 jobs as crisis worsens
-
Starmer's Labour rival eyes win in UK poll key to PM's fate
-
Mexico, Korea eye World Cup knockout berths
-
Range raises $8.3M Series A to unify treasury, risk and compliance across stablecoins and fiat
-
IAEA ready to help define 'concrete steps' to implement US-Iran deal
-
Ibrahima Konate signs four-year deal with Real Madrid
-
Hegseth tells NATO US will review force presence in Europe
-
Innovations on show at Paris Vivatech fest
-
Ukraine sets Moscow refinery ablaze in biggest attack in years
-
Bird flu kills 13,000 seal pups on remote Australian island
-
Oil prices sink further as Trump signs deal to reopen Hormuz
-
South Korean lawmakers launch probe into ballot paper shortages
-
Starmer rival seeks win in UK poll pivotal to PM's fate
-
Taiwan president says hopes for $14 bn US arms sale 'as soon as possible'
-
Why are Kenyan kids burning schools and killing their classmates?
-
New wave of anti-LGBTQ laws sweeps Africa
-
Ukraine hopes renewables can Russia-proof power grid
-
Jubilant New York on guard for Knicks parade
-
What we learned after the first round of World Cup games
-
New Zealander Manu has 'no fear' of Toulouse before Top 14 semi
-
Drastic restrictions on public transport take effect in Cuba
-
Pain-riddled South Korean man fights for right to die
-
Cuba approves economic reforms to boost private sector, investment: state TV
-
India learns to live with hotter summers
-
'Retired' Wallaby Slipper, 37, set for shock international comeback
-
EU wrestles over how to tackle China export flood
-
Tartan Army takes over Boston as Scotland fans relish World Cup return
-
Comedian Jordan Klepper wishes satire was harder in age of Trump
-
Robots pour cocktails and run marathons, but still can't multitask
-
Birthright citizenship helps spark US World Cup run
-
Ghana beat Panama 1-0 in World Cup opener after injury-time winner
-
Castro gives crucial backing to Cuba reforms
-
Mower Earns 15 Industry Honors from ANA REGGIE, The Drum, Indie Awards and ANA B2 Awards
-
Laser Photonics and Fonon Technologies Unveil Advanced Laser Wire Processing Solution for Avionics and Military
-
Voting Results from Solitario Resources Corp Annual Meeting Held June 17, 2026
-
Bridgeline Accelerates AI Commerce Momentum with New B2B Distributor Win
-
Rochon Family Executes Strategic Purchase of AIAI Holdings Shares
-
RollerAds Launches Full-cycle Ad Platform With Traffic, Offers, and Monetization in One Workspace
-
Infinite Auctions to Feature Carmelo Anthony's Photo-Matched Final New York Knicks Game-Worn Jersey in Upcoming Premier Auction
-
Zoe Financial Earns Finalist Recognition in the Wealthies 2026 Awards as a Modern TAMP
NYSE - LSE
Valimail 2026 Report: Email Protection Stalls as AI-Powered Impersonation Reaches Record Highs
New data reveals a massive "Enforcement Gap" between record adoption and actual protection, warning that reporting-only policies create a dangerous false sense of security
SAN FRANCISCO, CA / ACCESS Newswire / February 25, 2026 / Valimail, a DigiCert company, and the global leader in Zero Trust email authentication and Domain-based Message Authentication, Reporting, and Conformance (DMARC) today released its 2026 State of DMARC Report, revealing that while DMARC awareness has surged to 78%, actual enforcement has plateaued at just 42 percent. This 36-point gap represents a growing sentiment of organizations that have implemented DMARC to meet basic mailbox provider requirements but remain entirely unprotected against domain spoofing and AI-driven impersonation.
Bridging the Enforcement Gap: Key Findings
The 2026 report defines the Enforcement Gap as the space between technical adoption (having a DMARC record) and security enforcement (setting a policy to "reject" or "quarantine"). This gap represents a massive window of vulnerability for organizations. In 2025 alone, Valimail tracked more than 2.5 billion suspicious emails on behalf of its customers, illustrating the sheer scale of the threats that DMARC is designed to neutralize. Key takeaways from the report include:
The 36-Point Vulnerability: While 78% of domains now have a DMARC record, the 36-point gap between reporting and enforcement proves that compliance does not equal protection.
Enforcement Stagnation: Enforcement saw a 7% increase throughout 2025 (moving from 35% to 42%), suggesting that many organizations "set it and forgot it" at the most basic, non-protective level.
Mandate vs. Maturity: Mailbox provider mandates (from Google, Yahoo, and Microsoft) successfully drove reporting adoption but failed to push organizations toward full enforcement.
The AI Threat Multiplier: The gap is becoming increasingly dangerous as attackers use gen AI to bypass traditional filters. While Secure Email Gateways (SEGs) hunt for malicious links and shady language, AI produces perfectly tailored emails, making it difficult to detect. This means domain-level enforcement is the only reliable way to verify sender identity and block impersonation at the source before it ever reaches the inbox.
BIMI Adoption Lags: Without closing the Enforcement Gap, organizations cannot reach BIMI (Brand Indicators for Message Identification) standards, which remain stalled at a 4% adoption rate.
For security and IT leaders, this report is a critical call to action: treating a reporting-only DMARC policy as "done" creates a false sense of security and leaves domains vulnerable to the new wave of sophisticated, AI-driven attacks. The 36-point gap is not a technical oversight but a failure of management and enforcement.
Industry-Specific DMARC Adoption and Enforcement Trends
Sectors like Online Retail (72.73% at enforcement) and Manufacturing (67.61% at enforcement) have normalized DMARC enforcement, leading the cross-industry average by over 25 percentage points.
Arts and Recreation (31.61%) and Higher Education (33.71%) remain significantly exposed to spoofing and phishing threats, with enforcement lagging far behind.
Regulated industries (Financial Services, 59.18%; Healthcare, 57.42%) are converting reporting into enforcement, yet anything short of a 90% remains a critical vulnerability for institutions within these sectors.
The Information Technology sector (53.05% at enforcement) displays an uneven adoption maturity, with over a quarter of domains (25.81%) still lacking any valid DMARC record.
Valimail Commentary
"For years, the industry's focus was simply on getting DMARC records in place. And we've made great inroads when it comes to DMARC. But reaching enforcement is a critical first step in a modern security journey-not the destination. The Enforcement Gap we see today is where the most damage happens. It's a 'purgatory' state where senders think they're safe because they've checked a compliance box, but they haven't actually locked the door. In the current threat landscape, a DMARC record without an enforcement policy is just a roadmap to attackers to see exactly where your defenses end," said Al Iverson, Industry Research and Community Engagement Lead.
"The 36-point Enforcement Gap we've identified is a massive wakeup call for the industry. It shows that while mandates have successfully pushed companies to check the 'reporting' box, more than half of domains are still stopping short of actual protection. In the age of generative AI, being 'compliant' without being 'enforced' is like installing a security camera but leaving the front door wide open. If you're among the 58% still unprotected, you're not just vulnerable, you're a primary target. To stay ahead of today's threats, organizations must close this gap and move to full enforcement," said Scott Ziegler, Valimail Vice President of Product.
Frequently Asked Questions
What is the Enforcement Gap, and why is it dangerous for a business? The Enforcement Gap is the 36-point disparity between organizations that have published a DMARC record (78%) and those that have actually reached enforcement (42%). This gap exists because many companies implemented DMARC only to meet the minimum "reporting-only" requirements of mailbox providers like Google and Yahoo. While they are technically "compliant" with the mandates, they are still 100% vulnerable to domain spoofing. In an era of AI-driven phishing, staying in this gap creates a false sense of security that attackers are actively exploiting.
Why do domains with DMARC still lack full protection? Many organizations implement a policy to meet minimum compliance for bulk senders (Microsoft, Google, Yahoo) without realizing that this policy does nothing to actually protect the domain against malicious spoofing and false use.
Why didn't the mailbox providers' mandate "solve" DMARC? Mandates drove reporting adoption but did not, by themselves, drive full enforcement. Many organizations did the minimum required to keep mail flowing and stopped there.
How does DMARC help against AI-driven attacks? DMARC provides a foundational defense by ensuring that no matter how sophisticated an AI-crafted malicious message is, if it attempts to spoof your domain, a strong DMARC policy will reject the unauthenticated attempt before it reaches the inbox.
Which industries are actually enforcing DMARC, not just starting it? Manufacturing, online retail, financial services, and healthcare lead the market in converting reporting into enforcement-yet even in these top sectors, nearly 30% of organizations remain unprotected and vulnerable to impersonation.
Why are so many domains still vulnerable despite years of awareness? Because DMARC policies are public in the DNS, these vulnerabilities are easy for attackers to identify and exploit. The 20-30% of domains without enforcement in every industry represent a visible attack surface, increasing risk for every organization that delays protection.
About Valimail
Valimail, a DigiCert company, is the global leader in Zero Trust email authentication and invented hosted DMARC in 2015 and DMARC-as-a-service in 2021. In use by more than 100,000 companies globally, the company's full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance. From neighborhood shops to the world's largest brands, many organizations use these solutions to secure their emails. Valimail holds the most robust portfolio of 20 patents that unlock DMARC for businesses at scale and is the only DMARC solution to earn FedRAMP authorization. Valimail employees Chair and co-Chair many critical ecosystem bodies, such as the IETF DMARC Working Group, and the AuthIndicators Working Group developing BIMI. The premier DMARC partner for Microsoft 365 environments, Valimail also holds leadership positions on every key industry standards body, driving today's email authentication policies and tomorrow's cybersecurity advancements for everyone. For more information, please visit www.valimail.com.
Media Contact
Escalate PR for Valimail
[email protected]
###
SOURCE: Valimail
View the original press release on ACCESS Newswire
P.Silva--AMWN
