Fortune 100 DMARC Adoption in 2026
In the first quarter of 2022, we took a look at DMARC adoption among Fortune 100 companies, an annual list that ranks the top corporations in the United States by total revenue.
At that time, Google and Yahoo hadn’t yet released their ecosystem-shifting sender requirements. We thought we’d check in on the Fortune 100 companies in 2026 to see how they have progressed since Google, Yahoo and Microsoft’s DMARC mandates.
Here’s what we found:
From 2022 to 2026, we saw the following trends in DMARC adoption for the Fortune 100 companies:
- 89% increase of DMARC policies set to p=reject
- 30% increase of DMARC policies set to p=quarantine
- 68% decrease of DMARC policies set to p=none
- 87% decrease of companies lacking a DMARC policy
With the ever-increasing threat of domain impersonation, these percentage changes over the past few years illustrate an overall improvement in DMARC adoption and DMARC policy advancement.
SPF Record Errors
The good news is only 14% of the Fortune 100 had SPF mistakes. We’ve found that when deploying DMARC, developing and publishing SPF records often cause confusion. While we only saw a small subset of issues, the most common problems we saw with this set of domains revolved around SPF syntax errors, namely incorrect “include” mechanisms and “all.” An even smaller set was around multiple SPF records, and even fewer with a lack of an SPF record.
Review these guidelines to help publish accurate, secure SPF records.
Fortune 100 Companies Are Prime Targets
Fortune 100 companies remain high value targets for cybercriminals. With broad digital footprints, trusted brand recognition and large customer bases, a single successful attack can have large financial and reputational impact.
In January of 2026, a Fortune 100 financial services firm was targeted by a ransomware group using a new malware strain known as PDFSider. The attackers gained initial access through spear-phishing emails and social engineering tactics to deliver malicious payloads to Windows systems.
In several instances, the attackers attempted to trick email recipients into launching the malicious file by using decoy documents that appeared to be tailored to the targets.
Without strict DMARC enforcement in place, criminals can pose as banks or investment firms and send phishing emails to customers, or even internal employees, with a goal of gaining access to accounts, stealing personal information, redirecting payments and installing ransomware.
With visibility into how attackers operate, the next step is knowing how to move through DMARC deployment in a way that’s both manageable and efficient.
Moving Through DMARC Deployment
For many organizations, the first phase of DMARC deployment is a DMARC policy set to p=none; this monitoring policy sheds light on how a domain is being used across the internet while no constraints are placed on the domain’s email flow. This visibility includes known domain uses, like a company’s marketing email service provider that was properly vetted by the IT department.
From this initial monitoring policy, domain operators work to build their organization-wide domain catalog, identify all legitimate sending sources of email, and align the domain used for either a passing SPF or DKIM result to match the domain of the From header. Then, an organization will advance the DMARC policy to p=quarantine and transition to p=reject as confidence is gained in identifying legitimate email sources.
Take a look at our DMARC adoption studies for other sectors.
How dmarcian can help
With a team of email security experts and a mission of making email and the internet more trustworthy, dmarcian can help you assess your domain catalog, deploy DMARC and manage domain security for the long haul. With our expertise and mission of DMARC for All, we can help you
- Progress safely from monitoring to enforcement with our expert guidance.
- Understand how SPF, DKIM and DMARC work, and why they are essential.
- Configure these protocols to ensure seamless email delivery.
- Monitor authentication reports to identify and resolve any issues promptly.
