DMARC in the News: What’s New in Email Security (2025)
Email threats are evolving fast—and so is the way we defend against them. Here’s what’s making headlines in the world of DMARC this summer:
1. Most Domains Still Aren’t Blocking Spoofed Emails
Only 7.7% of the top 1.8 million domains use the strictest DMARC policy, p=reject, which actively blocks spoofed emails. The vast majority stick with p=none, where they only passively monitor issues. As phishing gets more sophisticated—especially with AI-driven attacks—this enforcement gap leaves many vulnerable
2. Google Gives DMARC Reports a Visibility Boost
Google has enhanced its DMARC aggregate reports by adding failure diagnostics directly into the XML feedback. Now, you’ll not only see that authentication failed—you’ll also get a clear reason via the new <comment> field under <reason>. This helps organizations pinpoint and resolve issues faster
3. Microsoft Cracks Down on Bulk Senders
As of May 5, 2025, Microsoft is rejecting (not just filtering) bulk emails that fail SPF, DKIM, or DMARC. This applies to any sender dispatching more than 5,000 messages per day to Microsoft domains (Outlook.com, Hotmail, Live.com). Messages failing authentication trigger a 550; 5.7.15 Access denied error—and may face full rejection soon
4. Internal Commitment, Not Just External Pressure
A recent EasyDMARC survey found that while awareness of DMARC is improving—75% of U.S. organizations have it set up—only 40% enforce strong policies like quarantine or reject. This suggests that real protection comes when internal teams actively manage and uphold DMARC—not just when it's required externally
Why These Updates Matter
1. Email Authentication Is Becoming Non-Negotiable
With providers like Microsoft enforcing strict authentication and Google providing more diagnostic clarity, DMARC (alongside SPF and DKIM) is quickly becoming vital for inbox delivery and security.
2. Monitoring Alone Isn’t Enough
Having a DMARC record is just the starting point. Without enforcement (p=reject) and internal ownership, domains remain exposed to impersonation—even if they have a passive “monitor-only” setup.
3. Full Visibility Is Powerful
Thanks to enhanced reporting from providers like Google, identifying and resolving failures isn’t just faster—it’s actionable.
What You Should Do
| Action | Why It Matters |
Set DMARC to p=quarantine or p=reject | Stop fraudulent emails from reaching recipients. |
Use enhanced diagnostics (e.g., Google’s <comment> field) | Pinpoint and fix authentication issues quickly. |
| Prioritize internal ownership | Ensure DMARC policies evolve with your email ecosystem. |
| Regularly monitor and update SPF, DKIM, DMARC | Prevent reappearance of misconfigurations as systems change. |
Final Thoughts
DMARC is no longer optional—it's critical. With email providers tightening rules and phishing attacks accelerating, maintaining robust, enforced email authentication is essential. Monitoring is good, but it’s enforcement and ownership that protect brands and inboxes.
Want help simplifying this? Tools like DMARCeye can translate complex reports into clear action, alert when things go wrong, and help you stay compliant—effortlessly.
Let me know if you’d like a detailed guide on configuring DMARC to reject or quarantine, or how to integrate alerts into your workflow!
