Defaults.Exposed

Defaults.Exposed › Reports

The 6 Stages of DMARC Maturity

Published 2026-07-03 · updated 2026-07-03

Figures as of 2026-06-29 · methodology v7. This is a reference model backed by a recurring census; each edition re-measures the same population so the numbers can be tracked over time. All figures are aggregate — we never publish an individual business’s grade.

Publishing DMARC is not the same as being protected

Across 261 million measured domains, 24.89% publish a DMARC record — but only 10.59% enforce one. Put another way: of the roughly 65 million domains that started the DMARC journey, 57.5% never reached the part that blocks anything. They published a record, pointed reporting somewhere, and stalled. Smaller independent studies find the same shape — one 2026 industry report put it at ~9% enforcing among the ~938,000 domains it examined.

Adoption is not the problem any more. Protection is. And domains stall for a structural reason: the maps everyone uses stop short. They end too early, and none of them gives the hardest step a name of its own.

Where the existing maps stop short

The models the industry navigates by were right for their era, and deserve a fair reading:

All three share two limits. First, they stop at p=reject — as if enforcement were the finish line. It isn’t: the standard itself has moved on (DMARCbis — RFC 9989, 9990 and 9991 — was published in May 2026, replacing the original RFC 7489), and enforcement does nothing for transport security or brand trust. Second — and this is the one that actually strands domains — none of them makes “every sender accounted for” a named stage. To be fair, the deployment guides do mention the work: dmarcian’s model includes source identification as a task inside its monitoring phase. But a task buried inside a phase is exactly how it gets treated — as part of “monitoring” rather than as the separate achievement it is. Watching reports arrive feels like progress. It isn’t, yet. The single biggest reason domains sit at p=none for years is that they can see their mail but haven’t accounted for it — so they dare not enforce, for fear of breaking something real.

A useful model needs to give that step its own name and its own exit criteria. This one does. We call it the DMARC Adoption Maturity Model — DAMM: six stages, one move each, and a name you can cite.

The model

The six stages of DMARC maturity — from Unprotected to Hardened, with the wall between Observing and Visibility

Stage 1 — Unprotected. No DMARC record — or SPF and DKIM incomplete underneath it. Anyone can send email as your domain, and nothing anywhere is checking. The move: configure SPF and DKIM for your primary mail, and confirm they authenticate and align. DMARC is built on both; you cannot skip this floor.

Stage 2 — Authenticated. SPF and DKIM are correct and aligning for your main mail flow. Your legitimate mail proves its origin — but nothing tells the world’s inboxes what to do about mail that doesn’t. The move: publish a DMARC record at p=none with a rua= reporting address.

Stage 3 — Observing. DMARC is published, aggregate reports are flowing, and for the first time you can see who is sending as your domain. Nothing is blocked. Most tools call this stage “visibility” — we deliberately don’t, because seeing reports and understanding them are different achievements. The move: identify every legitimate source that sends as your domain, and get each one aligned.

Stage 4 — Visibility. Every legitimate sender is identified and aligned — the newsletter platform, the invoicing system, the CRM, the thing marketing signed up last spring. You know your mail. Nothing legitimate will break if you enforce. This is the stage the old maps skip, and the wall most domains never climb. The move: raise the policy — p=none → p=quarantine (DMARCbis’s t=y test mode helps here) → p=reject.

Stage 5 — Enforced. p=quarantine or p=reject is live, with subdomains covered by an explicit sp= policy. Mail that fails authentication is now actually quarantined or refused at participating receivers — which includes every major mailbox provider — so direct spoofing of your exact domain stops landing where DMARC is checked. The move: add the hardening layer — DMARCbis’s np= and tree-walk coverage, MTA-STS and TLS-RPT for transport, BIMI if brand display matters to you.

Stage 6 — Hardened & sustained. Enforcement plus the modern stack: non-existent-subdomain (np=) coverage from DMARCbis, MTA-STS and TLS-RPT securing mail in transit, BIMI where it earns its keep — and, crucially, continuous monitoring for drift and new senders. This isn’t a badge; it’s a discipline. New senders appear, providers change IPs, configurations rot. The move: stay here.

The no-mail lane. Measured across the full domain inventory — dead domains included — 51.5% of domains run no mail service at all, and for them the journey collapses to one step. A domain that never sends should publish SPF -all and DMARC p=reject immediately: there is no legitimate mail to protect, so there is nothing to observe and no wall to climb. Parked and dormant brand domains go straight to Enforced in a single DNS change — and doing so closes off one of the most common impersonation vectors there is.

The wall: Stage 3 → 4

Every other transition in this model is a DNS change. This one is investigative work — and it’s where the months die.

Getting from Observing to Visibility means attributing every sending source in your reports to a real system: which ESP, which CRM, which regional office’s mail relay, which SaaS tool someone connected in 2023 and forgot. It means finding the shadow-IT senders nobody documented. It means fixing alignment ESP by ESP, because each platform has its own way of authenticating on your behalf — some of them wrong by default.

Skipping the wall is how DMARC got its scary reputation. Enforce from Observing — without Visibility — and you will block something real: an invoice run, a password-reset flow, the CEO’s newsletter. Then comes the panicked rollback to p=none, the internal post-mortem, and the lesson everyone learns wrongly: “we tried DMARC and it broke email.” Most DMARC horror stories are exactly this — enforcement attempted one stage early. The wall is not a reason to stop at Stage 3. It’s the reason Stage 4 exists.

This is also the stage where owners most often bring in help — an IT provider or a DMARC monitoring service can do the sender-identification work; the stages stay the same either way.

The part everyone forgets: Stage 5 → 6

Reaching p=reject stops direct spoofing of your domain in the From: line, at the receivers that check it. That is necessary — and it is not sufficient. It is also worth naming what enforcement never covered: lookalike domains (yourc0mpany.com) and display-name impersonation sit entirely outside DMARC’s reach, so enforcement closes the exact-domain door and leaves the neighbouring ones to vigilance and other controls.

Enforcement does nothing for transport: without MTA-STS and TLS-RPT, mail to your domain can still be downgraded or intercepted in transit. It does nothing for brand recognition: BIMI — your logo, displayed at the inbox — is a trust signal, not a security control, and it’s honest to treat it as one (it also requires a paid certificate, which is why it sits last, not first). And plain p=reject predates DMARCbis: the new RFCs’ np= tag and tree-walk close the non-existent-subdomain gap that older deployments leave open.

A domain at p=reject with none of the above is protected against the most common attack and unprepared for the rest. That’s a real distinction, and it deserves its own stage.

Your stage is measurable

This model isn’t just a diagram — a domain’s stage is computable, which is what separates it from a poster on a wall.

Stages 3 through 6 can be derived from a domain’s own DMARC reporting data plus its published records: what policy is live, whether reports flow, and whether every observed sender aligns. Stages 1 and 2 are assessed with a live DNS check, since no reports exist yet. One honest limit in each direction: Stage 4 is confirmed by evidence over time — “every observed sender aligns across enough reporting days” is a strong proxy, but no report can reveal the sender you haven’t connected yet. And Stage 6’s hardening layer — MTA-STS, TLS-RPT, BIMI — is invisible in DMARC reports; it takes a DNS check to see. A domain can look “done” from its reports and still carry a hidden Stage 5 → 6 gap. This is the model our own reporting analysis measures against, blockers and all.

A worked example

A mid-sized firm runs Microsoft 365 behind a mail-filtering gateway. SPF ends in -all, DKIM is configured, DMARC is published at p=none, and reports flow to a monitoring tool. On the old maps this looks nearly done. On this one it is Stage 3 — Observing: the hard setup is complete, and the domain has stalled exactly at the wall — visible, not protected. The highest-value move is 3 → 4 → 5: confirm the (likely few) legitimate senders all align, then raise the policy in stages. For a domain in this shape, that is usually weeks of attention, not months — the wall is tallest for those who never map it.

Find your stage

The question to retire is “do we have DMARC?” — 24.89% of domains can say yes while 57.5% of those remain spoofable. The better question is “what stage are we at, and what is the one move to the next one?” Every domain on the internet is at exactly one of these six stages today. Knowing which one turns an anxiety into a to-do list.

Where the internet sits across the six stages — most domains have no DMARC record at all; most of those that do are stuck before enforcement

Frequently asked questions

What is DAMM? The DMARC Adoption Maturity Model — the six-stage model on this page: Unprotected, Authenticated, Observing, Visibility, Enforced, Hardened. A domain’s stage is measurable from its DNS and its DMARC reporting data, which is what separates it from a poster on a wall.

Is publishing p=none worthless, then? No — it’s Stage 3, and Stage 3 is load-bearing: reporting is how you find every sender before you enforce. It only becomes a problem when it’s treated as a destination. See why p=none is not protection.

Can I skip straight to p=reject? If your domain sends no mail — yes, today, and you should. If it does send mail — no: enforcing without Visibility (Stage 4) is how legitimate mail gets broken and rollbacks happen. The stages are the safe path, not ceremony.

Do I need BIMI to be “done”? No. BIMI is the brand-display layer of Stage 6 and the most optional element in the model — MTA-STS, TLS-RPT and DMARCbis’s np= coverage are the parts that materially harden a domain. If the certificate cost isn’t justified for you, skip it and hold the rest of Stage 6.

Where do SPF and DKIM fit? Underneath everything — they are Stages 1 → 2, and SPF without DMARC protects less than most owners assume. Since 2024, major receivers have also required authentication outright from bulk senders.

Check where your own domain stands

These stages are population patterns — your domain is at exactly one of them, and the next move is knowable. You can check privately and free, and see which of the 34 checks you pass and how to fix the ones you don’t.

Check your domain → · How we graded the internet → · The DMARC pillar → · Aggregate data only. Data stored and processed in the EU.