• by Ray Schultz , Columnist, 11 hours ago

Marketing companies are deluding themselves that mere compliance with rules set by the Googles and Microsofts protects them from spoofing. On the contrary, it makes them more vulnerable, judging by a new report from Valimail: The 2026 State of DMARC Report.

While 78% of companies now have a DMARC (Domain-based Message Authentication, Reporting, and Conformance) record, actual DMARC enforcement has flattened out at 42%, leaving 58% of firms unprotected. 

“The Enforcement Gap we see today is where the most damage happens,” says Al Iverson, industry research and community Engagement Lead at Valimail.”It’s a ‘purgatory’ state where senders think they’re safe because they’ve checked a compliance box, but they haven’t actually locked the door.”

Iverson adds, “In the current threat landscape, a DMARC record without an enforcement policy is just a roadmap to attackers to see exactly where your defenses end.”

Enforcement did grow last year to 7%. But other firms remain vulnerable to domain spoofing because they implemented the minimum “reporting-only” requirements of the big mailbox providers. 

Valimail notes that this is getting more dangerous as attackers bypass traditional filters by using Gen AI. Secure Email Gateways, or SEGs, hunt for malicious links and shady language, but AI can produce perfectly tailored emails that are hard to detect. Domain-level enforcement is the only defense against this. 

Valimail also found that BIMI (Brand Indicators for Message Identification) which lets verified brand IPs display their corporate logos, has only a 4% adoption rate.

Why did the big providers not insist on full enforcement? Maybe they thought they wouldn’t get it.

In the end, things that once seemed so certain—like DMARC and BIMI—now are stalled. 

“The 36-point Enforcement Gap we’ve identified is a massive wakeup call for the industry," says Scott Ziegler, vice president of product at Valimail. "It shows that while mandates have successfully pushed companies to check the ‘reporting’ box, more than half of domains are still stopping short of actual protection. In the age of generative AI, being ‘compliant’ without being ‘enforced’ is like installing a security camera but leaving the front door wide open. If you’re among the 58% still unprotected, you’re not just vulnerable, you’re a primary target. To stay ahead of today’s threats, organizations must close this gap and move to full enforcement."