Two years after Gmail and Yahoo introduced their February 2024 bulk sender requirements, the data is in: only 28.5% of domains with a published DMARC record have actually reached p=reject enforcement, according to Valimail's 2024 industry report. The remaining 71.5% are sitting at p=none, technically compliant with the bulk sender baseline but functionally unprotected against the spoofing campaigns DMARC was designed to stop. p=none is monitoring, not protection. It tells receivers what is happening; it does not stop anything from happening.
In 2026, that gap is no longer just a security exposure. It is a deliverability tax. Mailbox providers increasingly use DMARC enforcement as a positive reputation signal — domains at p=quarantine or p=reject are trusted more than domains at p=none, all else being equal. Being stuck at p=none does not just leave you exposed to brand impersonation; it depresses your inbox placement on legitimate sends compared to enforcing senders in the same vertical. Microsoft began rejecting non-compliant high-volume mail outright on May 5, 2025. PCI DSS v4.0 made DMARC mandatory for organizations processing payment card data as of March 2025. Cyber insurers increasingly require enforcement as an underwriting condition. CISA BOD 18-01 mandates p=reject for US federal domains.
And then there is BIMI — the brand logo and verified checkmark in Gmail and Apple Mail that is rapidly becoming the visual proof of "this is a real sender." BIMI requires DMARC at p=quarantine or p=reject minimum. No enforcement, no logo, no checkmark, no brand display in inbox. Senders who do not finish the DMARC journey lose the BIMI marketing real estate, and that real estate has been documented to lift open rates by 21–39% in field tests by Red Sift and Entrust.
So why are most senders still at p=none? Because the path from p=none to p=reject is technically straightforward but operationally painful. You have to find every system that sends mail on your behalf, authenticate each one, watch the aggregate reports, fix alignment failures one by one, slowly tighten the percentage-rolled-out, and not break the newsletter that goes out on Friday. The platforms that automate the parsing make it look like a SaaS subscription will solve the problem. It will not. Somebody still has to do the work in DNS, in the third-party vendor portals, in the MTA configuration, and in the Friday-night change window.
That is what managed DMARC is, and that is what we do. We operate the work end-to-end. The platform is part of it; the human expert handling is most of it.