State of Email Authentication: Q1 2026 Report

Q1 2026 at a glance

Email authentication is no longer optional. Google, Yahoo, and Microsoft made that clear. But adoption numbers tell a more complicated story than the headlines suggest.

This is Verkh’s first quarterly report on the state of email authentication. We analyzed DMARC adoption, SPF configurations, and DKIM deployment across [INSERT STAT] domains. The data reveals a significant gap between having a DMARC record and actually using it to stop attacks.

The headline: most organizations have started. Very few have finished.

Executive Summary

Q1 2026 marks a turning point for email authentication. Mailbox provider enforcement requirements have driven record DMARC adoption. But the data shows a troubling pattern: organizations publish DMARC records and then stop. They monitor without enforcing. They collect reports without acting on them.

Here are the key findings from our analysis.

DMARC adoption reached [INSERT STAT]% across surveyed domains. This is a [INSERT STAT]% increase from Q4 2025. The growth is driven primarily by Google and Yahoo’s sender requirements, which now affect all bulk senders.

Only [INSERT STAT]% of domains with DMARC records are at enforcement (p=quarantine or p=reject). The remaining [INSERT STAT]% sit at p=none. They’re collecting data. They’re not stopping attacks.

Financial services leads enforcement at [INSERT STAT]%. Healthcare lags at [INSERT STAT]%. Technology sits at [INSERT STAT]%. Government is at [INSERT STAT]%.

The average time from first DMARC record to enforcement is [INSERT STAT] months. Organizations that use guided platforms reach enforcement in [INSERT STAT] months. Those managing manually take [INSERT STAT] months or never reach enforcement at all.

SPF record errors affect [INSERT STAT]% of domains. The most common issue: exceeding the 10 DNS lookup limit. This breaks SPF validation entirely and often goes undetected.

These numbers matter because DMARC at p=none provides zero protection against spoofing. It only provides visibility. The gap between adoption and enforcement represents real, ongoing risk.

DMARC Adoption by Industry

Financial Services

Financial services continues to lead DMARC adoption. Regulatory pressure from frameworks like PCI DSS 4.0, which mandates DMARC for payment processors, has accelerated deployment.

Adoption rate: [INSERT STAT]% of financial services domains have DMARC records.

Enforcement rate: [INSERT STAT]% are at p=quarantine or p=reject.

Key driver: Regulatory requirements and cyber insurance mandates. Several major insurers now require DMARC enforcement as a condition of coverage.

The financial services gap between adoption and enforcement is narrower than other industries, but it still exists. Approximately [INSERT STAT]% of financial institutions with DMARC records remain at p=none for more than six months. These organizations face a specific challenge: complex vendor ecosystems with trading platforms, wire transfer systems, and client portals all sending email from the primary domain.

Healthcare

Healthcare presents the widest adoption-to-enforcement gap of any industry we tracked.

Adoption rate: [INSERT STAT]% of healthcare domains have DMARC records.

Enforcement rate: [INSERT STAT]% are at p=quarantine or p=reject.

Key driver: HIPAA compliance obligations and growing awareness of healthcare-specific email threats.

Healthcare organizations face unique authentication challenges. EHR systems like Epic and Cerner send patient notifications from organizational domains. Patient portals, billing systems, pharmacy integrations, and lab result notifications each represent separate email streams that must be authenticated before enforcement is possible.

The average healthcare organization has [INSERT STAT] third-party services sending email from their primary domain. That’s [INSERT STAT]x more than the cross-industry average. Each one needs proper SPF authorization and DKIM signing before the organization can move past p=none.

Technology

Technology companies adopt DMARC faster but face their own enforcement barriers.

Adoption rate: [INSERT STAT]% of technology domains have DMARC records.

Enforcement rate: [INSERT STAT]% are at p=quarantine or p=reject.

Key driver: Technical awareness and deliverability requirements. Technology companies send high volumes of transactional email and understand the impact of authentication on inbox placement.

The challenge for technology companies is scale. SaaS platforms, developer tools, and cloud services often operate dozens of sending services across multiple subdomains. Subdomain policies add complexity that many organizations underestimate.

Government

Government DMARC adoption has increased significantly since federal mandates began requiring authentication.

Adoption rate: [INSERT STAT]% of government domains have DMARC records.

Enforcement rate: [INSERT STAT]% are at p=quarantine or p=reject.

Key driver: BOD 18-01 and subsequent federal directives. State and local governments increasingly follow federal guidance.

Government enforcement rates are improving, but legacy systems and procurement cycles slow progress. Many government email systems predate modern authentication standards, requiring infrastructure upgrades before enforcement is possible.

The Enforcement Gap: Why 95% Never Reach p=reject

The most significant finding in our Q1 data is the enforcement gap. Across all industries, the pattern is consistent: organizations publish DMARC records quickly, then stall.

We identified five primary reasons organizations remain at p=none.

1. Unidentified Senders

Organizations don’t know everything that sends email from their domain. Marketing tools, CRM systems, ticketing platforms, monitoring alerts, and legacy applications all send email. Without a complete inventory, teams are afraid to enforce because they might block legitimate mail.

Scale of the problem: The average domain has [INSERT STAT] authorized sending services. [INSERT STAT]% of organizations we surveyed could not identify all their senders without DMARC monitoring data.

2. Vendor Coordination Failures

Even when senders are identified, getting vendors to configure authentication correctly is difficult. Support teams often lack DMARC expertise. Tickets get escalated, delayed, or closed without resolution. Organizations wait weeks for a vendor to add a DKIM key that takes five minutes to configure.

This is the problem Verkh’s vendor remediation reports address directly. Instead of sending support tickets that get lost, you share a live Apex dashboard showing exactly what’s broken and how to fix it. Vendors see the data in real time. You see when they’ve viewed it.

3. Fear of Breaking Legitimate Email

The consequences of blocking legitimate email feel more immediate and visible than the consequences of not blocking spoofed email. A missed invoice notification gets noticed. A blocked phishing attack doesn’t.

This fear is legitimate but manageable. Moving from p=none to p=quarantine to p=reject in stages, monitoring failure reports at each stage, eliminates the risk of unexpected disruption.

4. Resource Constraints

DMARC enforcement requires sustained attention. Someone needs to monitor reports, coordinate fixes, and manage the progression. Many organizations start the process and then deprioritize it when other projects demand attention.

The organizations that reach enforcement fastest have a dedicated owner for the project. Whether that’s a security engineer, an IT manager, or an MSP partner, having someone accountable for progress makes the difference.

5. Platform Limitations

Some DMARC monitoring tools show you data without showing you what to do with it. Raw XML reports require interpretation. IP addresses need to be mapped to services. Failure patterns need analysis to determine whether they represent legitimate senders or attack attempts.

Platforms that translate raw data into actionable guidance close this gap. When a report shows you “SendGrid is failing DKIM alignment” instead of “IP 167.89.x.x sent 450 messages with DMARC result: fail,” the path to resolution becomes clear.

SPF Configuration Analysis

SPF remains the most widely deployed authentication protocol and the most commonly misconfigured.

The 10-Lookup Limit

SPF validation allows a maximum of 10 DNS lookups per check. Every include: mechanism in your SPF record triggers a lookup. Nested includes count toward the limit.

[INSERT STAT]% of domains we analyzed exceed or are at exactly 10 lookups. When the limit is exceeded, SPF validation fails entirely. This means every email from the domain fails SPF, regardless of whether the sender is legitimate.

The typical pattern: an organization adds a new SaaS tool, adds its include: to the SPF record, and inadvertently pushes the total past 10. SPF breaks silently. Nobody notices until deliverability drops or a DMARC report reveals the failure.

Common SPF Errors

Beyond the lookup limit, we found several recurring SPF configuration problems.

Duplicate includes appear in [INSERT STAT]% of SPF records. These waste lookup capacity without adding protection.

Overly permissive mechanisms like +all or broad IP ranges appear in [INSERT STAT]% of records. These authorize more senders than intended, undermining the purpose of SPF.

Missing senders affect [INSERT STAT]% of domains. A legitimate sending service isn’t included in SPF, causing authentication failures that show up in DMARC reports.

DKIM Deployment Trends

DKIM deployment lags behind SPF adoption. While SPF requires only a DNS record, DKIM requires cryptographic key generation, DNS publication, and configuration in each sending system.

[INSERT STAT]% of domains have at least one DKIM key published. But having a key published doesn’t mean all senders are signing. Many organizations have DKIM configured for their primary mail server but not for third-party services.

[INSERT STAT]% of domains have DKIM signing configured for all identified senders. This is the threshold required for DMARC enforcement. Without universal DKIM signing, moving to p=reject risks blocking legitimate email from unsigned senders.

The DKIM gap is the primary technical barrier to enforcement for most organizations.

What This Means for Your Organization

If you’ve published a DMARC record, you’ve started. That’s more than many organizations can say. But if your policy is p=none, you’re not protected. You’re informed.

The path from monitoring to enforcement is well-understood. It requires identifying your senders, fixing authentication failures, and progressively tightening your policy. The organizations that complete this journey share common traits: dedicated ownership, platform-guided remediation, and consistent follow-through.

Here’s what we recommend based on Q1 data.

If you don’t have DMARC: Start with p=none today. Every day without monitoring is a day you can’t see who’s using your domain.

If you’re at p=none for less than 30 days: Keep monitoring. Build your sender inventory. Start fixing authentication failures.

If you’re at p=none for more than 90 days: You’re overdue for enforcement progression. Move to p=quarantine with a percentage-based rollout. Start at 10% and increase weekly.

If you’re at p=quarantine: You’re close. Monitor for remaining failures. When your pass rate exceeds 99% for two consecutive weeks, move to p=reject.

If you’re at p=reject: Congratulations. You’ve eliminated domain spoofing as an attack vector. Now maintain your configuration as your email ecosystem evolves.

Methodology

This report analyzes DMARC, SPF, and DKIM configurations across [INSERT STAT] domains surveyed during Q1 2026 (January through March). Data sources include public DNS records, aggregate DMARC reports processed through the Verkh platform, and industry surveys.

Industry classifications follow standard SIC codes. Domains are categorized by their registrant’s primary industry. Subdomains are analyzed separately where DMARC subdomain policies are published.

Enforcement rates reflect the policy published at the time of analysis. Organizations may have changed policies after the measurement period.

Download the Full Q1 2026 Report

This blog post summarizes our key findings. The complete Q1 2026 report includes detailed industry breakdowns, regional analysis, trend comparisons with previous quarters, and specific recommendations by organization size.

See the latest quarterly report →

The report is available at no cost. We believe transparency about the state of email authentication helps the entire ecosystem improve.

About Verkh

Verkh is the email authentication platform built for enforcement. We help organizations move from p=none to p=reject with guided remediation, vendor coordination tools, and live dashboards that show real-time authentication status.

Our Q1 2026 report reflects our commitment to advancing email authentication adoption industry-wide. When more organizations reach enforcement, the entire email ecosystem becomes safer.

Start monitoring your domain free at verkh.io and see where you stand relative to the Q1 2026 benchmarks.