United States DMARC & MTA-STS Adoption Report 2026

We at PowerDMARC analyzed email authentication posture across U.S. domains, and two things stood out: DMARC adoption is rising, but enforcement remains uneven, and MTA-STS lags materially behind. That gap is where spoofing and downgrade risk persist. 

Washington D.C., remains the epicenter of global cybersecurity policy, but as we move into 2026, the gap between mandate and implementation is widening. Despite heightened federal guidance, such as CISA’s “Shields Up”  posture and broader national cybersecurity initiatives, the U.S. remains a primary playground for AI-driven spoofing and Business Email Compromise (BEC) scams that cost the economy over $2.9 billion last year.

This PowerDMARC analysis reveals a nation that has addressed identity authentication (SPF/DMARC) but left transport layer security (MTA-STS) and zone integrity (DNSSEC) dangerously exposed.

Report Request - United States DMARC Adoption

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Name*

Sector-Specific Vulnerabilities and Performance in the USA

To provide a clear baseline, here is the overall security posture for the United States across all 900+ domains before we dive into the specific industry sectors.

SPF

USA SPF

DMARC

USA DMARC

MTA-STS

USA MTA-STS

DNSSEC

BIMI Logo

USA Email Security Metrics

Metric Adoption Rate
SPF Correctness 95.7%
DMARC Adoption 95.8%
DMARC p=reject 49.0%
MTA-STS Adoption 1.7%
DNSSEC Adoption 18.0%
Start 15-day trial

1. Banking & Finance: High-Enforcement Infrastructure

U.S. banks lead the nation in enforcement, yet the sheer volume of attacks, specifically the 2024 JPMorgan phishing wave that netted $100M, proves that even small gaps are catastrophic.

Metric Adoption Rate
SPF Correctness 90.9%
DMARC p=reject 66.7%
No DMARC Record 7.6%
MTA-STS Adoption 3.0%
DNSSEC Adoption 22.7%
Banking SPF Adoption

The Critical Risk

SWIFT Confirmation Hijacking. With a 97.0% gap in MTA-STS, trillions in wire transfer confirmations travel via unencrypted paths. Attackers can intercept these in transit to identify the unauthorized modification before the bank or client realizes the breach.

The PowerDMARC Fix

Automated MTA-STS Hosting. We force all email transit into encrypted TLS 1.2+ channels, materially reducing downgrade and interception risk by enforcing TLS for inbound delivery and requiring policy compliance via MTA-STS. This helps support common governance expectations for secure email transport and vendor communications.

2. Government: Mandatory but Vulnerable

Federal agencies are the gold standard for DMARC, yet the persistence of SolarWinds-style supply chain attacks highlights a massive visibility gap in transport security.

Metric Adoption Rate
SPF Correctness 97.7%
DMARC p=reject 80.1%
No DMARC Record 2.3%
MTA-STS Adoption 3.4%
DNSSEC Adoption 54.5%

The Critical Risk

Credential Spoofing. While 80.1% enforce p=reject, the remaining 19.9% allow nation-state actors to forge official .gov credentials, bypassing citizen trust to deliver malware or collect sensitive PII. Low MTA-STS adoption also leaves inbound email security at risk.

The PowerDMARC Fix

Automated SCuBA Compliance for .gov. Our platform automates the stringent email authentication requirements of CISA BOD 25-01. We provide a centralized dashboard to move .gov domains to DMARC p=reject with zero manual overhead, ensuring that federal cloud environments meet SCuBA security baselines for Microsoft 365 and Google Workspace without the risk of breaking legitimate mail flow.

3. Healthcare: HIPAA’s Unprotected Flank

The 2024 Change Healthcare breach proved that medical providers are being targeted via spoofed third-party senders. Despite rising MFA use, email remains a weak link.

Metric Adoption Rate
SPF Correctness 94.9%
DMARC p=reject 64.6%
No DMARC Record 1.3%
MTA-STS Adoption 1.3%
DNSSEC Adoption 11.4%

The Critical Risk

PHI Transit Leaks. 98.7% of healthcare email traffic is unencrypted in transit. This allows attackers to intercept Protected Health Information (PHI) directly from the wire, leading to massive HIPAA fines and patient data exfiltration.

The PowerDMARC Fix

We provide a managed path to full DMARC and MTA-STS enforcement, ensuring every outbound medical record is encrypted via hosted MTA-STS.

Book a demo

4. Energy & Utilities: Operational Technology Risks

Post-Colonial Pipeline, the U.S. energy sector has fortified its OT (Operational Technology), but its corporate email remains an active attack surface for ransomware.

Metric Adoption Rate
SPF Correctness 96.8%
DMARC p=reject 51.6%
No DMARC Record 3.2%
MTA-STS Adoption 1.6%
DNSSEC Adoption 6.5%
Energy DNSSEC Adoption

The Critical Risk

Phishing-to-OT Pivots. Only 51.6% of the energy sector blocks fraud. Attackers use spoofed “Critical Equipment Alerts” to trick engineers into clicking malicious links, bridging the gap between the corporate inbox and the physical power grid.

The PowerDMARC Fix

Record Optimization. We secure operational communications against phishing entries by enforcing strict DMARC policies and optimizing complex SPF records to stay within DNS lookup limits.

5. Education: The Intellectual Property Harvesting

American campuses are high-value targets for intellectual property theft, yet they maintain the lowest enforcement rates in the country.

Metric Adoption Rate
SPF Correctness 96.6%
DMARC p=reject 30.3%
No DMARC Record 2.2%
MTA-STS Adoption 3.4%
DNSSEC Adoption 12.4%

The Critical Risk

University Login Harvesting. Low DMARC p=reject (30.3%) allows attackers to forge .edu logins, gaining access to multi-million dollar research databases and alumni financial records.

The PowerDMARC Fix

We simplify adoption and enforcement, we help manage thousands of departmental subdomains from one dashboard, slashing successful phishing attempts across the entire campus.

6. Media: The Disinformation Amplifier

Newsrooms fight fake news, but their own email domains are frequently used to spread it via spoofed bylines.

Metric Adoption Rate
SPF Correctness 96.7%
DMARC p=reject 30.4%
No DMARC Record 5.5%
MTA-STS Adoption 0.4%
DNSSEC Adoption 3.3%
BIMI Logo

The Critical Risk

Source Identity Theft. With near-zero MTA-STS (0.4%) and low DMARC enforcement, journalists’ private communications with sensitive sources are visible to anyone monitoring the network, and their bylines can be easily spoofed to plant deepfake stories.

The PowerDMARC Fix

Source Integrity. We move media domains to p=reject, ensuring that only verified journalists can send mail from the newsroom’s domain, preserving brand trust in an era of info-wars.

Start 15-day trial

7. Telecommunications: Subscriber Scam Magnet

Carriers guard their networks but leave their inboxes wide open, fueling the SIM-swap epidemic that costs Americans billions annually.

Metric Adoption Rate
SPF Correctness 96.6%
DMARC p=reject 41.4%
No DMARC Record 8.0%
MTA-STS Adoption 2.3%
DNSSEC Adoption 12.6%

The Critical Risk

Billing Fraud & Account Takeovers. High “No-DMARC” rates (8.0%) allow scammers to send fake billing alerts that look legitimate, tricking users into revealing the 2FA codes required for SIM-swapping.

The PowerDMARC Fix

SIM-Phish Slamming. Our platform enforces p=reject across carrier domains and hosts MTA-STS to secure the automated billing flows, making it hard for scammers to use the carrier’s own name against its subscribers.

8. Transport & Logistics: The Supply Chain Compromise

Airlines and rail networks face “Logistics Rerouting,” where spoofed manifests lead to stolen cargo and rerouted fuel supplies.

Metric Adoption Rate
SPF Correctness 90.2%
DMARC p=reject 42.4%
No DMARC Record 1.1%
MTA-STS Adoption 0.0%
DNSSEC Adoption 12.0%

The Critical Risk

Plain-Text Manifest Theft. A 100.0% gap in MTA-STS means every cargo manifest sent via email is unencrypted. Attackers can intercept shipment values and routes to coordinate physical or digital theft of “just-in-time” goods.

The PowerDMARC Fix

Fraud-Proof Logistics Channels. We provide one-click MTA-STS hosting that secures the transport layer, ensuring that sensitive shipping data is encrypted end-to-end, preventing man-in-the-middle disruptions triggered via email.

Under the Hood: Four Structural Weaknesses

The p=none Implementation Gap

46.8% of U.S. domains have DMARC but lack enforcement (p=none or p=quarantine). The current p=none state lacks remediation capability, allowing attackers to continue spoofing trusted brands while the organization merely observes the activity in logs.

“A DMARC policy set to p=none only provides reporting and visibility into spoofing attempts, without blocking them. While the high adoption rate in the United States is encouraging, shifting to a DMARC policy of p=reject is necessary to actively prevent unauthorized email use. Without enforcement, email domains remain vulnerable.”

Maitham Al Lawati, CEO, PowerDMARC

“We see this constantly in Fortune 500 companies: they add a new marketing tool, and suddenly their invoicing emails start bouncing. The 10-lookup limit is a hard ceiling in DNS. Without SPF optimization techniques like flattening or Macros to compress these records, growing your digital stack inevitably breaks your email deliverability.”

Yunes Tarada, Service Delivery Manager, PowerDMARC

SPF Complexity at Scale

While 95.7% of domains have correct SPF, the remaining 4.3% face critical misconfigurations. In complex U.S. enterprises, this often stems from hitting the “10-lookup limit” for DNS queries, causing legitimate emails from third-party vendors (CRM, HR systems) to fail authentication and disappear.

MTA-STS: The Encryption Deficit

With 98.3% exposure across the board, the U.S. has a near-total control gap regarding transport security.. Without MTA-STS, attackers can perform “Downgrade Attacks,” forcing email servers to drop encryption and transmit messages in plain text, readable by anyone monitoring the network.

“Standard email encryption (STARTTLS) is opportunistic; it asks for encryption but doesn’t demand it. MTA-STS is a way to enforce the transport lock. With nearly all U.S. traffic exposed, it’s trivial for an attacker to strip away encryption and read sensitive corporate communications in transit.”

Ayan Bhuiya, Operations & Delivery Shift Lead, PowerDMARC

“Organizations invest heavily in building brand trust, but a single DNS hijacking incident can shatter that in seconds. DNSSEC acts as the guardian of your digital identity, ensuring that when customers reach out, they connect with the real you. It’s no longer just an IT protocol; it’s a fundamental layer of brand reputation management.”

Ahona Rudra, Marketing Manager, PowerDMARC

DNSSEC: The Weak Foundation

DNSSEC is enabled on just 18.0% of domains. Without this, the directory system of the internet (DNS) is unprotected. Sophisticated state-sponsored attackers can hijack the DNS response, redirecting a company’s entire email flow to a rogue server without the sender or receiver ever knowing.

Contact us

Global Benchmarking: U.S. in Context

CountrySPF CorrectDMARC AdoptionDMARC p=rejectMTA-STS (Encryption)DNSSEC Adoption
United States 🇺🇸95.7%95.8%49.0%1.7%18.0%
Netherlands 🇳🇱92.4%88.5%41.2%14.5%59.0%
Sweden 🇸🇪85.0%77.9%29.9%2.9%25.9%
Norway 🇳🇴85.2%83.1%29.0%2.8%45.6%
Australia 🇦🇺91.5%78.4%26.5%3.1%6.8%
Saudi Arabia 🇸🇦80.6%54.4%18.4%0.2%11.9%
Japan 🇯🇵95.0%74.6%9.2%0.5%2.1%

Analysis: The U.S. Position on the Global Stage

The 2025-2026 benchmarking data reveals that the United States is currently the global leader in active defense, boasting the highest p=reject enforcement rate at 49.0%. This is significantly higher than established digital economies like Australia (26.5%) or Japan (9.2%). The U.S. success is largely driven by early regulatory mandates and the high-stakes risk environment facing the banking and healthcare sectors.

However, the U.S. faces a “Technical Tail” problem. While foundational SPF and DMARC adoption are nearly universal (95.0%+), the Kingdom of the Netherlands significantly outperforms the U.S. in advanced encryption, with 14.5% MTA-STS adoption compared to America’s meager 1.7%. PowerDMARC bridges this implementation gap by providing automated policy rollout, while maintaining exception handling for critical legacy senders.

Furthermore, with DNSSEC adoption at just 18.0%, the U.S. remains more vulnerable to sophisticated DNS hijacking than Norway (45.6%). This gap highlights a strategic focus in America on stopping phishing (DMARC) while under-investing in infrastructure resilience (DNSSEC/MTA-STS). For the U.S. to maintain its cybersecurity leadership, the next phase must move beyond simple identity verification and toward the total encryption and integrity of the global email ecosystem.

Conclusion: From Metrics to Action

The data is clear: The United States has the technical specifications and foundational records in place, but has yet to evolve from passive monitoring to active transport enforcement. While SPF is ubiquitous and DMARC adoption is surging, the failure to reach enforcement (p=reject) and secure the transport layer (MTA-STS) remains a billion-dollar vulnerability.

U.S. organizations cannot afford to wait for the next CISA Binding Operational Directive or a catastrophic Business Email Compromise (BEC) incident to move from monitoring to protection. PowerDMARC bridges this “Implementation Gap” by providing:

Automated Enforcement Paths: Safely migrating Fortune 500s and SMBs alike from p=none to p=reject without blocking critical business communications.

Infrastructure Simplification: Overcoming the “10-lookup limit” with SPF optimization, hosting MTA-STS, and validating DNSSEC records in a single, cloud-native dashboard.

Regulatory Readiness: Supporting compliance with PCI-DSS 4.0, HIPAA, and CISA standards by simplifying anti-phishing protection and securing email communications.

Book a demo Contact us

PowerDMARC Perspective

“The U.S. is currently the primary laboratory for AI-driven phishing. While American IT teams are excellent at publishing records, they are often paralyzed by the fear of blocking legitimate mail. In 2026, a ‘monitoring-only’ posture is essentially a surrender to sophisticated spoofing. The move to active defense isn’t just a security upgrade; it is essential for protection against sophisticated breaches.”

PowerDMARC Team

Turn Visibility into Defense Today

U.S. adoption rates show that the foundation is ready; now it’s time to flip the switch. In a landscape where AI can spoof an executive’s tone perfectly, relying on “visibility” alone is not enough.

Don’t let your domain remain an “Unprotected Frontier.” Move from passive monitoring to active protection before the next wave of coordinated attacks hits your industry.

Contact PowerDMARC to start your journey to enforcement.

Start 15-day trial Book a demo