United States DMARC & MTA-STS Adoption Report 2026

PowerDMARC’s 2026 Report on email authentication in the U.S. aimed to study the country’s DMARC adoption, its configuration, and its focus on advanced transit security protocols like MTA-STS and DNSSEC. Our statistics sprawl over the nation as a whole and its major industries to reveal key security issues that remain unseen.

The unsurprising part is the robust DMARC adoption, reflecting serious consideration toward email authentication protocols. The surprise was the lack of transit protection, where spoofing and downgrade risk persist the most.

Despite heightened federal guidance, such as CISA’s “Shields Up”  posture and broader national cybersecurity initiatives, the U.S. remains a primary playground for AI-driven spoofing and Business Email Compromise (BEC) scams that cost the economy over $2.9 billion last year.

This PowerDMARC analysis reveals a nation that has addressed identity authentication (SPF/DMARC) but left transport layer security (MTA-STS) and zone integrity (DNSSEC) dangerously exposed. Let’s take a quick look at what the report reveals.

Overall US Email Security Posture

US email authentication is a two-tier system: nearly universal foundational records (SPF and DMARC) paired with minimal transport-layer protection (MTA-STS and DNSSEC). Across 900+ domains, the baseline metrics are:

SPF

USA SPF

DMARC

USA-DMARC-Square

MTA-STS

USA MTA-STS

DNSSEC

BIMI Logo

USA Email Security Metrics

Metric Adoption Rate
SPF Correctness 95.7%
DMARC Adoption 95.8%
DMARC p=reject 49.0%
MTA-STS Adoption 1.7%
DNSSEC Adoption 18.0%

1. Banking & Finance: High-Enforcement Infrastructure

The 2024 JPMorgan phishing scam netted $100M, reiterating that while U.S. banks prioritize enforcement, not all remains safe with just that.

Metric Adoption Rate
SPF Correctness 90.9%
MTA-STS Adoption 3.0%
DNSSEC Adoption 22.7%
Banking SPF Adoption

❌Critical Risk

SWIFT Confirmation Hijacking: With a 97.0% gap in MTA-STS, attackers can intercept wire transfer confirmations in transit before a breach is even realized.

✅PowerDMARC Fix

Automated MTA-STS Hosting: Email transit goes through encrypted TLS 1.2+ channels, materially reducing downgrade and interception risk by enforcing TLS for inbound delivery and requiring policy compliance via MTA-STS.

2. Government: Mandatory but Vulnerable

US federal agencies lead in DMARC enforcement due to CISA Binding Operational Directives. The visibility gap persists widely in transport security.

Metric Adoption rate
SPF Correctness 97.7%
DMARC p=reject 80.1%
MTA-STS Adoption 3.4%

❌Critical Risk

Critical Spoofing: With the nature of security required, even the lacking 19.9% allows foreign nation-state actors to forge official .gov credentials, bypassing citizen trust to deliver malware or collect sensitive PII.

✅PowerDMARC Fix

Automated SCuBA Compliance for .gov: Our platform automates the email authentication requirements of CISA BOD 25-01, providing a centralized dashboard to move .gov domains to DMARC p=reject with zero manual overhead, meeting SCuBA security baselines for M365 and Google Workspace.

3. Healthcare: HIPAA’s Unprotected Flank

Remember the 2024 Change Healthcare breach? Medical providers are constantly targeted via spoofed third-party senders, and email remains a weak link.

Metric Adoption rate
DMARC p=reject 64.6%
MTA-STS Adoption 1.3%
DNSSEC Adoption 11.4%

❌Critical Risk

PHI Transit Leaks: 98.7% of healthcare email traffic is unencrypted in transit. Attackers can intercept Protected Health Information (PHI) directly from the wire, leading to massive HIPAA fines and patient data exfiltration.

✅PowerDMARC Fix

Manages the path to full DMARC and MTA-STS enforcement, ensuring every outbound medical record is encrypted via hosted MTA-STS.

4. Energy & Utilities: Operational Technology Risks

Even with advancements, corporate email is still an active attack surface for ransomware in the industry.

Metric Adoption rate
SPF Correctness 96.8%
DMARC p=reject 51.6%
MTA-STS Adoption 1.6%
Energy DNSSEC Adoption

❌Critical Risk

Phishing-to-OT Pivots: Nearly half the sector cannot block spoofed mail, rendering the inbox a gateway to the physical grid.

✅PowerDMARC Fix

Record Optimisation: Enforces strict DMARC policies across utility domains and compresses complex SPF records with PowerSPF, staying within DNS lookup limits while securing operational communication.

5. Education: The Intellectual Property Harvesting

US higher education holds the lowest DMARC enforcement rate of any US sector despite universities being top-tier targets for intellectual property theft, research-grant fraud, and targeted phishing.

Metric Adoption rate
DMARC p=reject 30.3%
MTA-STS Adoption 3.4%
DNSSEC Adoption 12.4%

❌Critical Risk

University Login Harvesting: A 30.3% p=reject rate means roughly seven in ten campuses allow attackers to forge .edu mail, gaining access to multi-million-dollar research databases, grant applications, and alumni financial records.

✅PowerDMARC Fix

Manage thousands of departmental subdomains from one dashboard. Apply enforcement policies campus-wide, reducing successful phishing across faculty, alumni systems, and student services.

6. Media: The Disinformation Amplifier

Newsrooms’ fight against fake news falls flat due to low authentication adoption. As sources of national information, this is a critical gap to be filled.

Metric Adoption rate
DMARC p=reject 30.4%
MTA-STS Adoption 0.4%
DNSSEC Adoption 3.3%
BIMI Logo

❌Critical Risk

Source Identity Theft: With near-zero MTA-STS and low DMARC enforcement, journalists’ private communications with sensitive sources are visible to anyone monitoring the network.

✅PowerDMARC Fix

Source Integrity: Moves media domains to p=reject, so only verified journalists can send mail from the publication’s domain. Add BIMI to display a verified logo in recipient inboxes, reinforcing editorial trust.

7. Telecommunications: Subscriber Scam Magnet

Carriers guard their networks but leave their inboxes wide open, fueling the SIM-swap epidemic that costs Americans billions every year.

Metric Adoption rate
DMARC p=reject 41.4%
MTA-STS Adoption 2.3%
DNSSEC Adoption 12.6%

❌Critical Risk

Billing Fraud & Account Takeovers: Scammers send authentic-looking billing alerts that harvest 2FA codes, which are then used to authorise SIM swaps and drain bank accounts.

✅PowerDMARC Fix

SIM-Phish Slamming: Enforces p=reject across carrier domains and host MTA-STS to secure automated billing flows.

8. Transport & Logistics: The Supply Chain Compromise

Airlines and rail networks face “Logistics Rerouting,” where spoofed manifests lead to stolen cargo and rerouted fuel supplies.

Metric Adoption Rate
SPF Correctness 90.2%
DMARC p=reject 42.4%
No DMARC Record 1.1%
MTA-STS Adoption 0.0%
DNSSEC Adoption 12.0%

❌Critical Risk

Plain-Text Manifest Theft: A 100% gap in MTA-STS means every cargo manifest sent via email is unencrypted. Attackers can easily intercept shipment values and routes to coordinate physical or digital theft of goods.

✅PowerDMARC Fix

Fraud-Proof Logistics Channels: One-click MTA-STS hosting secures the transport layer, ensuring sensitive shipping data is encrypted end-to-end, preventing man-in-the-middle disruptions triggered via email.

Four Structural Weaknesses Driving the Enforcement Gap

The p=none Implementation Gap

46.8% of U.S. domains have DMARC but lack enforcement (p=none or p=quarantine). The current p=none state lacks remediation capability, allowing attackers to continue spoofing trusted brands while the organization merely observes the activity in logs.

“A DMARC policy set to p=none only provides reporting and visibility into spoofing attempts, without blocking them. While the high adoption rate in the United States is encouraging, shifting to a DMARC policy of p=reject is necessary to actively prevent unauthorized email use. Without enforcement, email domains remain vulnerable.”

Maitham Al Lawati, CEO, PowerDMARC

“We see this constantly in Fortune 500 companies: they add a new marketing tool, and suddenly their invoicing emails start bouncing. The 10-lookup limit is a hard ceiling in DNS. Without SPF optimization techniques like flattening or Macros to compress these records, growing your digital stack inevitably breaks your email deliverability.”

Yunes Tarada, Service Delivery Manager, PowerDMARC

SPF Complexity at Scale

While 95.7% of domains have correct SPF, the remaining 4.3% face critical misconfigurations. In complex U.S. enterprises, this often stems from hitting the “10-lookup limit” for DNS queries, causing legitimate emails from third-party vendors (CRM, HR systems) to fail authentication and disappear.

MTA-STS: The Encryption Deficit

With 98.3% exposure across the board, the U.S. has a near-total control gap regarding transport security.. Without MTA-STS, attackers can perform “Downgrade Attacks,” forcing email servers to drop encryption and transmit messages in plain text, readable by anyone monitoring the network.

“Standard email encryption (STARTTLS) is opportunistic; it asks for encryption but doesn’t demand it. MTA-STS is a way to enforce the transport lock. With nearly all U.S. traffic exposed, it’s trivial for an attacker to strip away encryption and read sensitive corporate communications in transit.”

Ayan Bhuiya, Operations & Delivery Shift Lead, PowerDMARC

“Organizations invest heavily in building brand trust, but a single DNS hijacking incident can shatter that in seconds. DNSSEC acts as the guardian of your digital identity, ensuring that when customers reach out, they connect with the real you. It’s no longer just an IT protocol; it’s a fundamental layer of brand reputation management.”

Ahona Rudra, Marketing Manager, PowerDMARC

DNSSEC: The Weak Foundation

DNSSEC is enabled on just 18.0% of domains. Without this, the directory system of the internet (DNS) is unprotected. Sophisticated state-sponsored attackers can hijack the DNS response, redirecting a company’s entire email flow to a rogue server without the sender or receiver ever knowing.

Global Benchmarking: U.S. in Context

CountrySPF CorrectDMARC AdoptionDMARC p=rejectMTA-STS (Encryption)DNSSEC Adoption
United States 🇺🇸95.7%95.8%49.0%1.7%18.0%
Netherlands 🇳🇱92.4%88.5%41.2%14.5%59.0%
Sweden 🇸🇪85.0%77.9%29.9%2.9%25.9%
Norway 🇳🇴85.2%83.1%29.0%2.8%45.6%
Australia 🇦🇺91.5%78.4%26.5%3.1%6.8%
Saudi Arabia 🇸🇦80.6%54.4%18.4%0.2%11.9%
Japan 🇯🇵95.0%74.6%9.2%0.5%2.1%

Analysis: Where the US Wins and Where It Lags

The 2025–2026 benchmarking data reveals that the United States is currently the global leader in active defence, boasting the highest p=reject enforcement rate at 49.0%. This success is largely driven by early regulatory mandates and the high-stakes risk environment in banking and healthcare.

However, the U.S. faces a ‘Technical Tail’ problem. While foundational SPF and DMARC adoption are nearly universal, the Netherlands significantly outperforms the U.S. in advanced encryption. This highlights a strategic focus on stopping phishing (DMARC) while under-investing in infrastructure resilience (DNSSEC/MTA-STS).

Furthermore, with DNSSEC adoption at just 18.0%, the U.S. remains more vulnerable to sophisticated DNS hijacking than Norway (45.6%). This gap highlights a strategic focus in America on stopping phishing (DMARC) while under-investing in infrastructure resilience (DNSSEC/MTA-STS). For the U.S. to maintain its cybersecurity leadership, the next phase must move beyond simple identity verification and toward the total encryption and integrity of the global email ecosystem.

From Metrics to Action: Closing the Implementation Gap

The US has the foundational records to lead globally on email authentication. The remaining work is operational: moving from monitoring to enforcement, and adding transport-layer protection that most organisations defer due to perceived complexity.

PowerDMARC closes this gap through three capabilities:

Automated enforcement paths: Migrate Fortune 500s and SMBs from p=none to p=reject without blocking legitimate mail.

Infrastructure simplification: Solve the 10-lookup SPF limit with PowerSPF, host MTA-STS policies, and validate DNSSEC records from a single cloud-native dashboard.

Regulatory readiness: Support compliance with PCI-DSS 4.0, HIPAA, and CISA standards from one platform.

PowerDMARC Perspective

“The US is the primary testbed for AI-driven phishing. American IT teams publish records well but stall at enforcement because they fear blocking legitimate mail. In 2026, monitoring-only is functionally a surrender to sophisticated spoofing. The move to active defence is essential protection against the breaches that will define this year.”

PowerDMARC Team

Conclusion: From Visibility to Defence

The 2026 data is unambiguous. US organisations have built the foundation; the next step is enforcement. In a year where AI-driven impersonation can mimic an executive’s tone and writing style on the first attempt, a monitoring-only posture is a delay.

The migration path from p=none to p=reject takes weeks, not quarters, when records are managed automatically. Sectors that move first will turn email from their largest attack surface into a trusted communication channel.

Ready to move from visibility to active defence?

Book a demo