The State of Email Authentication in the Fortune Global 500

Among the 500 largest companies on Earth, whether an attacker can send email that appears to come from your domain is decided less by your size or your security budget than by the country your headquarters sits in. We scanned every domain in the Fortune Global 500 in June 2026. In the United Kingdom and France, more than nine in ten of these companies have configured DMARC to actively block spoofed mail. In China, fewer than one in four have — and more than half have no DMARC record of any kind.

That is the finding that stayed with us after the numbers settled. Not that large companies are behind on email authentication — many are well ahead — but that "large company" turns out to be almost meaningless as a predictor. A €100-billion-revenue manufacturer in Germany and a €100-billion-revenue manufacturer in China run on the same scale of resources and the same caliber of engineers, and one has closed the spoofing door while the other has left it open. The variable that separates them is geography, not capability.

This report walks through what we measured, what it means, and where the gaps are most exploitable — for the companies themselves, and for anyone whose job is to protect them.

What we looked at and why

DMARC — Domain-based Message Authentication, Reporting and Conformance — is the standard that lets a domain owner tell the world's mail servers what to do with messages that fail authentication: ignore the failure (p=none), divert the message to spam (p=quarantine), or reject it outright (p=reject). Only the last two stop a spoofed email from landing in an inbox. A domain at p=none is watching the door without locking it. A domain with no DMARC record has no door.

For two decades, the email authentication story was about getting anyone to adopt these standards at all. That fight is largely over at the top of the market. The interesting question in 2026 is no longer "do the biggest companies publish DMARC?" — most do. It is "have they actually turned on enforcement, and if not, who hasn't?" That distinction — between publishing a record and enforcing a policy — is where the real exposure lives, and it is the distinction most adoption statistics blur.

We chose the Fortune Global 500 deliberately. It is a fixed, named, recognizable list of the world's largest companies by revenue, spanning 36 countries and every major industry. It is not a sample we drew — it is effectively a census of the top of the global economy, which means there is no sampling error to argue about. Every percentage in this report is a count of real organizations, not an extrapolation.

How we measured it

For each of the 500 companies we identified the primary organizational domain and performed live DNS lookups on June 25, 2026. For every domain we recorded the presence and configuration of MX records, SPF and its policy qualifier, DMARC and its published policy, DKIM signing, BIMI, MTA-STS, and TLS-RPT, plus the primary email infrastructure provider inferred from MX records. All 500 domains resolved; none returned errors, so the denominator throughout is a clean 500.

Three honest limitations belong up front, because the credibility of an aggregate report rests entirely on its method:

We measured the published policy, not the effective one. A DMARC record can carry a pct tag that applies the policy to only a fraction of mail, or a subdomain policy (sp) that weakens enforcement below the top level. Our scan captured the headline policy tag, not these modifiers. That means our enforcement figures are, if anything, a slight over-statement of real-world enforcement — some domains we count as enforcing may be enforcing on only part of their mail.

DKIM detection is conservative. DKIM keys live at selector-specific DNS locations, and without observing live mail you cannot enumerate every selector a domain uses. Our 58.2% DKIM figure is therefore a floor, not a ceiling — true DKIM usage is higher. We do not lead with this number for that reason.

"Provider" reflects the inbound gateway, not always the mailbox host. A company running Microsoft 365 behind a Proofpoint or Mimecast gateway shows the gateway in its MX records. Our provider counts describe what sits at the front door, which is a different question from who hosts the mailboxes behind it.

With that established, here is what the data shows.

Finding 1: The geographic divide is the story

When we break enforcement down by headquarters country for every cohort with at least 20 companies, the spread is not subtle.

https://cms.simpledmarc.com/storage/fcad2e9e-56eb-419d-acd9-e630f44ed3b9.webp

The United Kingdom (95% enforcing, zero companies without DMARC), France (92%, zero without), the United States (84%, 3% without), and Germany (80%, 7% without) form a cluster of maturity. These are markets where enforcement is now the default among the largest firms.

Then the cliff. Japan sits at 34% enforcement with nearly a third of its giants carrying no DMARC record at all. And China — 124 companies, almost a quarter of the entire list — sits at 23% enforcement, with 58% having no DMARC record whatsoever. Of China's 124 largest companies, 72 publish nothing; only 10 have reached p=reject. The low-enforcement cohorts cluster in East Asia: alongside China and Japan, South Korea's smaller group of 14 companies shows half with no record and none enforcing. India runs against the regional grain, with 78% of its (smaller, N=9) cohort enforcing.

Because China is so heavily represented on the global list, it pulls the worldwide averages down on its own. The "global" number for any metric in this report is really a blend of a mature Western bloc and a largely unprotected Chinese bloc. Anyone citing a single global adoption figure for the Fortune Global 500 is averaging across two populations that barely resemble each other.

Finding 2: One in five of the world's largest companies still have no DMARC at all

Across all 500 companies, 79.4% (397) publish a DMARC record. That leaves 103 companies — 20.6% — with no DMARC record of any kind. These are not obscure firms. They are among the 500 largest enterprises on the planet, and their domains can be spoofed in a phishing email with nothing to stop the message reaching the target's inbox.

This is also where we have to correct a tempting but wrong way to read the data. It is easy to lump "no record" together with "policy set to none" and report a single large "unprotected" bucket. They are different failures. A company at p=none has deployed DMARC, is likely collecting reports, and is plausibly mid-journey toward enforcement — they have started. A company with no record has not begun. Conflating the two flatters the laggards and slanders the in-progress.

https://cms.simpledmarc.com/storage/daf3ebe1-0f3e-4a34-9b5e-2dbb3bb44e74.webp

The honest four-way split across all 500: 240 (48.0%) at p=reject, 75 (15.0%) at p=quarantine, 82 (16.4%) at p=none, and 103 (20.6%) with no DMARC record. So 315 companies — 63.0% of the entire list — actively enforce. Among only the 397 that publish DMARC at all, 79.3% enforce, and the 82 stuck at p=none represent the group most worth a nudge: they have done the hard part of deploying and now need to move the policy tag.

Finding 3: Banks lead, and it isn't a fluke of geography

Sliced by industry, the cleanest signal comes from commercial and savings banks, the largest single industry group on the list with 61 companies. Banks enforce at 85%, well above the overall 63%, with only 10% carrying no DMARC record.

We checked whether this was just a Western-banks artifact. It is not — the banking cohort is spread across the United States, China, the United Kingdom, Canada, France, and Brazil. The sector genuinely runs ahead of the pack, which fits: banks are the most-phished brands in the world and the most heavily regulated, and they have had both the threat and the compliance pressure to act.

A caution on reading industry numbers from this list, though. Several industry buckets are dominated by a single country, and when they are, the "industry" finding is really a geography finding wearing a different hat. The starkest example: the Metals sector shows just 5% enforcement and 62% with no DMARC record — but 17 of its 21 companies are Chinese steel and aluminum producers. That number describes Chinese heavy industry, not the metals sector globally. We treat only the industries large and geographically mixed enough to be meaningful — banks chief among them — as standalone findings, and we count the rest as too confounded to publish as industry results.

Finding 4: BIMI is a maturity badge, not a missed configuration

BIMI — the standard that puts a brand's verified logo next to its emails — appears on 56 domains, 11.2% of the list. The notable thing is what we didn't find. BIMI technically requires DMARC enforcement to display, and one might expect to catch companies that deployed a BIMI record without the enforcement to back it. There are none. All 56 BIMI adopters already enforce DMARC — 48 at reject, 8 at quarantine.

That makes BIMI, in this population, a clean signal of email-authentication maturity rather than a source of misconfiguration. The companies reaching for the logo have already locked the door. It also marks the frontier: only 11.2% have taken this step, and the transport-security standards sit even further out — MTA-STS at 5.2% and TLS-RPT at 6.8%. These are where the leading edge is thin enough that adopting now still means being early.

What this means, and for whom

For the companies on this list, the action items sort cleanly by where they sit. The 103 with no DMARC record have an unguarded brand and should treat that as the priority it is — deploying DMARC in monitoring mode costs nothing and breaks nothing, and it is the prerequisite for everything else. The 82 at p=none have already done the deployment work and are leaving the actual protection switched off; their path is to read their aggregate reports, confirm their legitimate senders are passing, and move the policy to quarantine and then reject. The 315 already enforcing should be checking the modifiers our scan couldn't see — that pct is at 100 and subdomain policy isn't quietly undercutting the top-level one — and looking at BIMI and transport security as the next maturity steps.

For everyone whose job is defending these organizations — their IT teams, their MSPs, their security vendors — the geographic and sector patterns are a targeting map. The exposure is concentrated, not evenly spread. More than half of one major economy's largest firms have no DMARC at all. Whole industry segments in specific regions are wide open. The cost of that exposure is not theoretical: an unprotected domain is an attacker's free infrastructure for phishing the company's own customers, partners, and employees, and the reputational damage of a successful brand-impersonation campaign lands on the spoofed company regardless of fault.

A monitoring and reporting platform — the category SimpleDMARC sits in — is the practical instrument for the middle group especially: the companies that have deployed DMARC but stalled at p=none because they can't see whether moving to enforcement will break legitimate mail. That visibility is exactly what aggregate report analysis provides, and it is the difference between a policy that watches and a policy that protects.

What we'll be watching

This is a single snapshot, taken on one day in June 2026. Its real value arrives on the second pass. The questions worth tracking: does the Chinese cohort begin to close the gap, and how fast? Does Japan's middle-of-the-pack position move? Does BIMI cross from badge-of-the-few toward a norm, the way DMARC enforcement itself did in the Western large-cap market over the past five years?

We intend to rescan the same list on the same methodology and report the deltas. A benchmark is only as useful as its consistency, and the most interesting version of this report is the one that exists a year from now with two data points to compare. If you operate one of these domains, or defend a portfolio of them, the most useful thing you can do with this snapshot is locate yourself in it — and if you're in the 20.6% with no record, or the 16.4% watching an unlocked door, treat that as the finding that was actually about you.