This ToolTrusted study breaks down DMARC adoption by TLD — measured from live DNS across the top 10,000 domains in the Majestic Million in June 2026. Headline averages hide enormous variation: depending on the top-level domain, the share of sites that actually enforce DMARC ranges from 11.0% to 79.0%. Looking at DMARC adoption by TLD — and the same data by country — reveals who is genuinely protected against spoofing and who only looks protected. Every figure below comes from the same 10,000-domain dataset behind our email authentication statistics, segmented by TLD. Nothing is estimated.
DMARC adoption by TLD at a glance
Across the whole sample, 76.6% of domains publish DMARC and only 54.0% enforce it. But that ecosystem average is misleading: DMARC adoption by TLD swings from near-total on regulated TLDs to almost absent on others. The four numbers that frame the whole picture:
DMARC enforcement rate by TLD
Share of domains in each TLD with DMARC at p=quarantine or p=reject, June 2026. Green ≥60%, amber 40–59%, red <40%.
The full breakdown of DMARC adoption by TLD is below. “DMARC published” is any record; “DMARC enforced” is a policy of quarantine or reject (the policies that actually block spoofed mail); “Gap” is the distance between the two — published records that do nothing because they sit at p=none.
| TLD | Domains sampled | SPF | DMARC published | DMARC enforced | Gap |
|---|---|---|---|---|---|
| .gov (US government) | 233 | 94.8% | 95.3% | 79.0% | 16.3pt |
| .uk (United Kingdom) | 241 | 90.0% | 89.6% | 71.4% | 18.2pt |
| .edu (US education) | 308 | 98.7% | 98.4% | 59.4% | 39.0pt |
| .com (commercial) | 4,902 | 86.6% | 79.6% | 58.6% | 21.0pt |
| .ru (Russia) | 150 | 85.3% | 70.0% | 57.3% | 12.7pt |
| .fr (France) | 139 | 91.4% | 84.2% | 52.5% | 31.7pt |
| .io (tech) | 104 | 77.9% | 70.2% | 50.0% | 20.2pt |
| .org (non-profit) | 1,134 | 87.3% | 77.7% | 49.6% | 28.1pt |
| .de (Germany) | 282 | 92.9% | 81.9% | 48.2% | 33.7pt |
| .net (network) | 299 | 66.6% | 54.8% | 34.4% | 20.4pt |
| .jp (Japan) | 187 | 75.4% | 67.4% | 26.7% | 40.7pt |
| .cn (China) | 292 | 49.7% | 18.8% | 11.0% | 7.8pt |
DMARC adoption by TLD: who leads
The strongest performers are the TLDs with gatekeepers. .gov (US government) tops every measure, with 95.3% of domains publishing DMARC and 79.0% enforcing it — unsurprising for a TLD restricted to US government bodies operating under federal mandates. .uk (United Kingdom) follows at 71.4% enforcement, the highest of any non-government TLD. US education (98.4% publishing DMARC on .edu) shows what a coordinated sector can achieve on the publishing side.
Looking at DMARC by country, the European country-code TLDs cluster near the top: .uk (United Kingdom) (71.4% enforced), .fr (France) (52.5%) and .de (Germany) (48.2%) all clear the ecosystem average, reflecting strong GDPR-era security norms and active national CERTs. The lesson from the leaders is consistent: where a TLD has an engaged registry or regulator, email authentication by TLD rises across the board. None of these leaders reached the top by accident — each sits behind either a binding mandate (government, education) or a registry and national CERT that actively promote authentication to their registrants, which is exactly the kind of coordinated pressure the open generic TLDs lack.
DMARC adoption by TLD: who lags
At the other end, .cn (China) is the clear outlier: just 18.8% of these domains publish DMARC at all and only 11.0% enforce it — far below every other TLD in the study and a standing reminder that a message claiming to come from a cn domain is, statistically, the least likely to be backed by enforced authentication. .net (network) is the weakest of the generic Western TLDs (54.8% publishing), and .jp (Japan) illustrates a different failure mode entirely — covered next.
These gaps matter for anyone filtering inbound mail or assessing partner risk: DMARC adoption by TLD is, in effect, a base-rate for how much you can trust the “From” address on a message before you even look at the specific sender. Our best DMARC software guide covers the monitoring tools that turn these population statistics into per-domain visibility.
The enforcement gap by TLD
The most revealing column in the data is not publication or enforcement — it is the gap between them. A wide gap means a TLD has learned to publish DMARC (often to satisfy the Google and Yahoo bulk-sender rules) without finishing the rollout to enforcement, leaving domains that look protected but are still spoofable.
p=none.This is the single highest-value piece of work hiding in the numbers. The TLDs with the widest gaps do not need more domains to start with DMARC — they need the existing records moved from p=none to p=reject. If you operate in one of these spaces, finishing that rollout is what converts a checkbox into actual protection. Our DMARC record guide walks the staged none → quarantine → reject path safely.
Generic vs country-code TLDs: the pattern behind the numbers
Step back from the individual rows and a clear structure emerges in the DMARC adoption by TLD data. Three groups behave very differently. Regulated TLDs (.gov (US government), .edu (US education)) sit at the top because a central authority can mandate and audit authentication. Country-code TLDs are the middle band, and here DMARC by country tracks national security culture closely: the European registries lead, while several large-market country TLDs publish records but stall before enforcement. Open generic TLDs (.com (commercial), .net (network), .io (tech)) are the most variable, because anyone can register them with no security baseline at all.
That structure explains why the ecosystem-wide average is such a poor guide to any individual domain. It also explains where the DMARC enforcement gap concentrates: not on the TLDs that ignore authentication entirely, but on the ones that have started — high publication, lagging enforcement. The strongest predictor of real protection is not whether a TLD knows about DMARC, but whether something or someone pushes its domains past p=none. For senders, the practical takeaway is to judge inbound mail and partners against the base-rate for their TLD, not the headline 76.6% figure — and, if you publish on a high-gap TLD, to recognise that “we have DMARC” almost certainly does not yet mean “we enforce it”.
How we measured DMARC adoption by TLD
We took the top 10,000 domains from the Majestic Million and queried live public DNS for each one in June 2026 using Google and Cloudflare resolvers, then grouped the results by top-level domain. For every domain we read the TXT record at _dmarc.<domain> and its p= policy tag, plus the root SPF record — the same public records mailbox providers check, defined in RFC 7489. Only TLDs with a meaningful sample in the top 10,000 are shown; smaller TLDs are omitted rather than reported on thin counts.
Two caveats apply, as with the parent study. A top-domain sample skews toward larger, better-resourced organisations, so these are best-case figures — real-world DMARC adoption by TLD across all registered domains is almost certainly lower. And we measure the presence and policy of each record, not whether every sending stream is correctly aligned. The method is deliberately reproducible: you can check any single domain yourself with our free Email Health Check.
For the full cross-standard picture — SPF, DMARC, MTA-STS, TLS-RPT and BIMI across all 10,000 domains — see the parent email authentication statistics study, and the email authentication hub for the setup guides behind each standard.
Cite this research
This study is free to use and share under a Creative Commons BY 4.0 licence. If you reference the data, please credit ToolTrusted with a link to this page — that is all we ask.
APA: ToolTrusted. (2026). DMARC Adoption by TLD: Which Domains Actually Enforce Email Authentication (2026). ToolTrusted. https://tooltrusted.com/dmarc-adoption-by-tld/
To embed a link back to this research, copy the snippet below:
<p>Source: <a href="https://tooltrusted.com/dmarc-adoption-by-tld/">DMARC Adoption by TLD: Which Domains Actually Enforce Email Authentication (2026) — ToolTrusted</a></p>
Related reading
DMARC adoption by TLD FAQ
Which TLDs enforce DMARC the most?
In our June 2026 study, .gov (US government) leads with 79.0% of domains enforcing DMARC, followed by .uk (United Kingdom) (71.4%) and .edu (US education) (59.4%). Regulated and country-code TLDs with active registries consistently outperform the generic ones.
Which TLD has the weakest email authentication?
.cn (China) has the weakest email authentication by TLD in our sample: only 18.8% of these domains publish DMARC and 11.0% enforce it, with SPF also the lowest at 49.7%. Mail claiming to come from these domains is the least likely to be backed by enforced authentication.
Why does DMARC adoption vary so much by country?
DMARC by country tracks closely with registry policy, national CERT activity and regulation. European country TLDs (uk, de, fr) cluster high, while TLDs with less coordinated security guidance trail. Regulation and an engaged registry move adoption far more than any single mailbox provider’s rules.
What is the DMARC enforcement gap?
It is the difference between domains that publish a DMARC record and those that set it to an enforcing policy (quarantine or reject). A domain at p=none has a record but blocks nothing. The gap is widest on .jp (Japan) (40.7 points), meaning many domains there look protected but remain spoofable until they finish the rollout.
How can I check DMARC adoption for a specific domain?
Use our free DMARC lookup and authentication audit to read any domain’s published DMARC record and policy in seconds. This study reports the population picture of DMARC adoption by TLD; the lookup tools give you the per-domain answer for any address you care about.
Cite this article
Raj Kapoor. "DMARC Adoption by TLD: Which Domains Actually Enforce Email Authentication (2026)." ToolTrusted, June 27, 2026, https://tooltrusted.com/dmarc-adoption-by-tld/.
Raj Kapoor. (2026). DMARC Adoption by TLD: Which Domains Actually Enforce Email Authentication (2026). ToolTrusted. https://tooltrusted.com/dmarc-adoption-by-tld/
Notice something outdated or incorrect in this review? Let us know below, and our team will update it within 24 hours.