DMARC Adoption Across Fortune 500 and Inc. 5000: The Growing Divide

In the evolving landscape of email security, DMARC (Domain-based Message Authentication, Reporting & Conformance) has become a crucial defense against phishing and domain spoofing. However, the EasyDMARC 2025 DMARC Adoption Report reveals significant malpractices in how different segments of the business world approach DMARC implementation and enforcement.

Our analysis of the DMARC policies of Fortune 500 and Inc. 5000 companies highlights how organizational size and resources influence DMARC maturity. The results are encouraging in some areas but concerning in others. This analysis of DMARC adoption in these organizations is just one lens from EasyDMARC’s comprehensive 2025 research. Our report examined the top 1.8 million global domains by visitor traffic to assess the state of DMARC adoption. While positive progress is evident, particularly among large enterprises, our broader research highlights persistent gaps in enforcement and reporting that leave many organizations exposed.

Fortune 500 vs. Inc. 5000: A Tale of Two Segments

The data shows that 93.8% of Fortune 500 companies have valid DMARC records, demonstrating broad recognition of DMARC’s importance. In contrast, only 76.2% of Inc. 5000 companies, representing ambitious and high-growth mid-market businesses, have followed suit.

The gap widens even further when we examine enforcement levels. Among Fortune 500 companies with DMARC, 62.7% apply the strictest protection (p=reject), actively blocking fraudulent emails. In comparison, only 15.2% of Inc. 5000 companies have reached this enforcement level. At the same time, more than half are on a “monitoring-only” policy (p=none), which provides visibility but leaves them exposed to phishing attacks.

Visibility Gaps and Missed Opportunities

Monitoring through DMARC aggregate reports (RUA) is nearly universal among Fortune 500 companies, with 97.9% leveraging this essential feedback mechanism. However, only 67.4% of Inc. 5000 companies with DMARC records utilize RUA reporting, limiting their ability to detect and respond to authentication issues.

Despite these gaps, it’s worth noting that the Inc. 5000 outperforms the broader global average, where only 47.7% of domains have valid DMARC records, and fewer than 20% achieve enforcement.

This means that while the Inc. 5000 faces clear room for improvement, they are still ahead of most global organizations in securing their domains. As phishing threats grow, this relative advantage can help protect their brand reputation and maintain customer trust,  but only if they continue progressing toward full enforcement. 

The Implications: Security Gaps and Rising Risks

The disparity between adoption and enforcement underscores a clear message: publishing a DMARC record is only the first step. Without advancing to enforcement, organizations, especially in the mid-market, remain vulnerable to phishing, brand impersonation, and email-based fraud.

Our Recommendations 

• Raise Awareness: Industry stakeholders must emphasize the risks of p=none policies and promote gradual policy hardening toward p=reject.
• Promote Enforcement: Email providers and industry bodies should advocate for default configurations that encourage stricter DMARC enforcement.
• Prioritize Reporting: Universal adoption of RUA tags is essential for maintaining visibility and proactively addressing authentication weaknesses.

Conclusion: Bridging the Divide

The Fortune 500’s leadership in DMARC adoption and enforcement sets a strong example, but the security gap in the Inc. 5000 cannot be overlooked. As phishing threats grow more sophisticated, comprehensive DMARC adoption, enforcement, and reporting are the keys to providing the protection organizations and their customers deserve.