Valimail 2026 Report: Email Protection Stalls as AI-Powered Impersonation Reaches Record Highs
-
PSG in talks with Leipzig to buy Ivory Coast star Diomande
-
Australia to host Brazil double-header after World Cup
-
Venezuela search teams scramble as hope fades of finding quake survivors
-
Stocks rise and oil edges up as US, Iran call end to latest attacks
-
Bondi Beach attack survivor tells of 'trauma' of online AI images
-
South Korea to invest nearly $1.2 tn in chips, AI data centres
-
Pakistan strikes on eastern Afghanistan kill dozens
-
Russia rallies support for army with 'patriotic' tourist routes
-
Cape Verde, Africa's outlier in LGBTQ tolerance
-
Brazil, Germany eye World Cup last 16 as Netherlands face Morocco
-
South Korea demands change after dismal World Cup exit
-
Washington says US, Iran pausing strikes, talks to proceed
-
Stocks mixed and oil rises as US, Iran call end to latest attacks
-
EU, China trade tensions loom over minister visit
-
For sale on Facebook: monkeys, rhino horn and dead pangolins
-
Israelis, Palestinians torn over sacred shrine in city of Hebron
-
In Sudan's Kordofan, a key city reels as paramilitary offensive looms
-
Scheffler to face Hovland in Monday playoff for PGA Travelers title
-
Ryu Hae-ran wins Women's PGA Championship
-
'Burnt out' Stokes leaves England facing tricky questions
-
Germany must win to defy World Cup doubters, says Nagelsmann
-
Critical rescue window closing in Venezuela as quake death toll nears 1,500
-
HM Exploration Discovers New Blind Massive Sulphide Lens at Lewis Pilley's Project
-
How to Start a Functional Beverage Brand: Free FMCG Webinar
-
InterContinental Hotels Group PLC Announces Transaction in Own Shares - June 29
-
South Korea's Ryu Hae-ran wins Women's PGA Championship
-
Canada's Marsch praises history-making World Cup 'heroes'
-
Brazil strike confident tone ahead of Japan World Cup clash
-
Co-hosts Canada beat South Africa to reach World Cup last 16 as knockouts begin
-
Israel detonates tunnel, strikes south Lebanon
-
Putin acknowledges fuel shortages after Ukraine strikes
-
Moriyasu praises 'united' Japan on eve of Brazil World Cup clash
-
Canada reach World Cup last 16 as late strike sinks South Africa
-
Looting, theft in Venezuela's earthquake zone add to tragedy
-
Perry stars as Australia knock India out of World Cup
-
Venezuela quakes kill 1,450, time running out to find survivors
-
Stokes 'content' after extraordinary England exit
-
West Indies beat Sri Lanka in first Test
-
Europe swelters as heatwave moves east
-
Asia's World Cup falls apart with just two teams remaining
-
Stokes announces shock England exit as New Zealand eye series win
-
Bromell upsets Lyles, Duplantis shines at Paris Diamond League
-
CAF president Motsepe hails African World Cup successes
-
Man Utd reveal Ugarte knee injury in Uruguay World Cup defeat
-
South Korea coach quits after early World Cup exit
-
Stokes out for 30 in final Test innings after shock England retirement
-
Venezuela quakes kill 1,400, time running out to find survivors
-
Wolff praises 'cold-blooded' Russell, enjoys Antonelli enthusiasm at Austrian GP
-
Hamilton laments lack of power and poor tyre performance
-
Stokes announces shock England exit as Mitchell bats New Zealand into commanding lead
Valimail 2026 Report: Email Protection Stalls as AI-Powered Impersonation Reaches Record Highs
New data reveals a massive "Enforcement Gap" between record adoption and actual protection, warning that reporting-only policies create a dangerous false sense of security
SAN FRANCISCO, CA / ACCESS Newswire / February 25, 2026 / Valimail, a DigiCert company, and the global leader in Zero Trust email authentication and Domain-based Message Authentication, Reporting, and Conformance (DMARC) today released its 2026 State of DMARC Report, revealing that while DMARC awareness has surged to 78%, actual enforcement has plateaued at just 42 percent. This 36-point gap represents a growing sentiment of organizations that have implemented DMARC to meet basic mailbox provider requirements but remain entirely unprotected against domain spoofing and AI-driven impersonation.
Bridging the Enforcement Gap: Key Findings
The 2026 report defines the Enforcement Gap as the space between technical adoption (having a DMARC record) and security enforcement (setting a policy to "reject" or "quarantine"). This gap represents a massive window of vulnerability for organizations. In 2025 alone, Valimail tracked more than 2.5 billion suspicious emails on behalf of its customers, illustrating the sheer scale of the threats that DMARC is designed to neutralize. Key takeaways from the report include:
The 36-Point Vulnerability: While 78% of domains now have a DMARC record, the 36-point gap between reporting and enforcement proves that compliance does not equal protection.
Enforcement Stagnation: Enforcement saw a 7% increase throughout 2025 (moving from 35% to 42%), suggesting that many organizations "set it and forgot it" at the most basic, non-protective level.
Mandate vs. Maturity: Mailbox provider mandates (from Google, Yahoo, and Microsoft) successfully drove reporting adoption but failed to push organizations toward full enforcement.
The AI Threat Multiplier: The gap is becoming increasingly dangerous as attackers use gen AI to bypass traditional filters. While Secure Email Gateways (SEGs) hunt for malicious links and shady language, AI produces perfectly tailored emails, making it difficult to detect. This means domain-level enforcement is the only reliable way to verify sender identity and block impersonation at the source before it ever reaches the inbox.
BIMI Adoption Lags: Without closing the Enforcement Gap, organizations cannot reach BIMI (Brand Indicators for Message Identification) standards, which remain stalled at a 4% adoption rate.
For security and IT leaders, this report is a critical call to action: treating a reporting-only DMARC policy as "done" creates a false sense of security and leaves domains vulnerable to the new wave of sophisticated, AI-driven attacks. The 36-point gap is not a technical oversight but a failure of management and enforcement.
Industry-Specific DMARC Adoption and Enforcement Trends
Sectors like Online Retail (72.73% at enforcement) and Manufacturing (67.61% at enforcement) have normalized DMARC enforcement, leading the cross-industry average by over 25 percentage points.
Arts and Recreation (31.61%) and Higher Education (33.71%) remain significantly exposed to spoofing and phishing threats, with enforcement lagging far behind.
Regulated industries (Financial Services, 59.18%; Healthcare, 57.42%) are converting reporting into enforcement, yet anything short of a 90% remains a critical vulnerability for institutions within these sectors.
The Information Technology sector (53.05% at enforcement) displays an uneven adoption maturity, with over a quarter of domains (25.81%) still lacking any valid DMARC record.
Valimail Commentary
"For years, the industry's focus was simply on getting DMARC records in place. And we've made great inroads when it comes to DMARC. But reaching enforcement is a critical first step in a modern security journey-not the destination. The Enforcement Gap we see today is where the most damage happens. It's a 'purgatory' state where senders think they're safe because they've checked a compliance box, but they haven't actually locked the door. In the current threat landscape, a DMARC record without an enforcement policy is just a roadmap to attackers to see exactly where your defenses end," said Al Iverson, Industry Research and Community Engagement Lead.
"The 36-point Enforcement Gap we've identified is a massive wakeup call for the industry. It shows that while mandates have successfully pushed companies to check the 'reporting' box, more than half of domains are still stopping short of actual protection. In the age of generative AI, being 'compliant' without being 'enforced' is like installing a security camera but leaving the front door wide open. If you're among the 58% still unprotected, you're not just vulnerable, you're a primary target. To stay ahead of today's threats, organizations must close this gap and move to full enforcement," said Scott Ziegler, Valimail Vice President of Product.
Frequently Asked Questions
What is the Enforcement Gap, and why is it dangerous for a business? The Enforcement Gap is the 36-point disparity between organizations that have published a DMARC record (78%) and those that have actually reached enforcement (42%). This gap exists because many companies implemented DMARC only to meet the minimum "reporting-only" requirements of mailbox providers like Google and Yahoo. While they are technically "compliant" with the mandates, they are still 100% vulnerable to domain spoofing. In an era of AI-driven phishing, staying in this gap creates a false sense of security that attackers are actively exploiting.
Why do domains with DMARC still lack full protection? Many organizations implement a policy to meet minimum compliance for bulk senders (Microsoft, Google, Yahoo) without realizing that this policy does nothing to actually protect the domain against malicious spoofing and false use.
Why didn't the mailbox providers' mandate "solve" DMARC? Mandates drove reporting adoption but did not, by themselves, drive full enforcement. Many organizations did the minimum required to keep mail flowing and stopped there.
How does DMARC help against AI-driven attacks? DMARC provides a foundational defense by ensuring that no matter how sophisticated an AI-crafted malicious message is, if it attempts to spoof your domain, a strong DMARC policy will reject the unauthenticated attempt before it reaches the inbox.
Which industries are actually enforcing DMARC, not just starting it? Manufacturing, online retail, financial services, and healthcare lead the market in converting reporting into enforcement-yet even in these top sectors, nearly 30% of organizations remain unprotected and vulnerable to impersonation.
Why are so many domains still vulnerable despite years of awareness? Because DMARC policies are public in the DNS, these vulnerabilities are easy for attackers to identify and exploit. The 20-30% of domains without enforcement in every industry represent a visible attack surface, increasing risk for every organization that delays protection.
About Valimail
Valimail, a DigiCert company, is the global leader in Zero Trust email authentication and invented hosted DMARC in 2015 and DMARC-as-a-service in 2021. In use by more than 100,000 companies globally, the company's full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance. From neighborhood shops to the world's largest brands, many organizations use these solutions to secure their emails. Valimail holds the most robust portfolio of 20 patents that unlock DMARC for businesses at scale and is the only DMARC solution to earn FedRAMP authorization. Valimail employees Chair and co-Chair many critical ecosystem bodies, such as the IETF DMARC Working Group, and the AuthIndicators Working Group developing BIMI. The premier DMARC partner for Microsoft 365 environments, Valimail also holds leadership positions on every key industry standards body, driving today's email authentication policies and tomorrow's cybersecurity advancements for everyone. For more information, please visit www.valimail.com.
Media Contact
Escalate PR for Valimail
[email protected]
###
SOURCE: Valimail
View the original press release on ACCESS Newswire
S.Jackson--AT
