France is making progress on DMARC, yet a large majority of observed domains remain insufficiently protected against email spoofing. For businesses, that gap affects both brand security and control over their own sending infrastructure.
This article examines the May 26, 2026 snapshot supplied for this publication from DmarcDkim.com’s DMARC Adoption in France page. The source updates its measurement regularly: when consulted on May 27, the live page already showed a refreshed observation. The figures below therefore refer to the May 26 dataset of 15,908 domains under the source’s methodology, not an exhaustive audit of every French domain.
Direct Answer
As of May 26, 2026, 73.6% of observed domains in France had no effective DMARC protection. Only 9.5% reached full protection through a p=reject policy enforced at pct=100, while 17.0% had partial protection.
Strict adoption stood at 23.4%, an increase of 1.7 percentage points over six months. France is moving forward, but the figures reveal a significant gap between publishing a DMARC record and enforcing a policy that effectively reduces domain impersonation risk.
In Short
- 73.6% of observed domains lack effective DMARC protection.
- 9.5% have full protection through
p=reject; pct=100. - 17.0% have partial protection.
- 23.4% operate a strict
p=quarantineorp=rejectpolicy atpct=100. - 42.2% have no DMARC record.
- France remains below the reported European and global averages for full protection.
What the Statistics Show
The protection-level view distinguishes full enforcement, partial deployment and the absence of effective protection. That distinction matters because a domain may have a visible DMARC record in DNS without asking receivers to act on messages that fail alignment.
| Protection level | Share of observed domains | Practical meaning |
|---|---|---|
| Full protection | 9.5% | p=reject enforced at pct=100: DMARC failures are requested to be rejected. |
| Partial protection | 17.0% | Quarantine or gradual rollout: some protection exists, without meeting the source’s full-protection definition. |
| No effective protection | 73.6% | Monitoring-only policy, invalid record or no record: spoofing is not sufficiently addressed through DMARC. |
DMARC first checks whether mail using the visible From domain aligns through SPF or DKIM, then publishes a policy for authentication failures. It helps reduce email spoofing and some phishing scenarios, but it is not a complete spam filter, an account-compromise defense or an inbox-placement guarantee.
Why Having DMARC Does Not Mean Being Protected
Publishing a record is the beginning of a deployment, not the end. A domain using p=none can collect valuable reporting information, but it does not ask receivers to quarantine or reject messages failing DMARC.
Several situations account for the gap between presence and protection:
- A
p=nonerecord supports monitoring but does not enforce protection. - An invalid record may not be usable by receivers.
- A
pctbelow100means stronger policy applies to only part of the evaluated mail. - A strict policy deployed before sender discovery can disrupt legitimate, unaligned sending flows.
In the source’s terminology, full protection specifically means p=reject; pct=100. A strict quarantine policy at 100% is meaningful enforcement, but is not counted as full protection in this measurement.
Detailed DMARC Policy Distribution in France
The policy distribution reveals where operational work remains: domains without any record and records disabled at p=none still account for a substantial portion of the observed base.
| Source category | Percentage | Estimated domains* | Simple interpretation |
|---|---|---|---|
Strict policy (p=quarantine/reject, pct=100) | 23.4% | approx. 3,722 | An enforcement policy applies to all evaluated messages. |
In progress (pct < 100) | 2.8% | approx. 445 | The domain is gradually moving toward wider enforcement. |
Disabled (p=none; pct=0) | 30.5% | approx. 4,852 | A record exists, but no protective disposition is requested. |
| Invalid record | 1.1% | approx. 175 | The published configuration contains an error. |
| No record | 42.2% | approx. 6,713 | No DMARC policy record is detected. |
* Estimates calculated from the 15,908-domain base and the rounded percentages supplied for the May 26 snapshot; totals can vary slightly due to rounding.
France Compared with Europe and the World
France is not standing still: strict adoption rose by 1.7 percentage points over six months. However, there is still meaningful headroom at the strongest protection levels.
| Indicator | France | EU average | Global average |
|---|---|---|---|
Full protection (p=reject; pct=100) | 9.5% | 12.6% | 11.2% |
Strict adoption (p=quarantine/reject; pct=100) | 23.4% | - | 27.7% |
France trails the reported EU full-protection average by 3.1 percentage points and the global average by 1.7 points. For strict adoption, it trails the global average by 4.3 points.
The standards environment is also moving forward: DMARCbis and RFC 9989, RFC 9990 and RFC 9991 provide a modernized specification, while organizations still need to operationalize their own policy and reporting.
Why the Gap Matters
Where no effective policy is enforced, attempts to spoof the visible domain are less consistently handled by receiving systems. The business risks are practical:
- Spoofed messages can imitate a brand, executive or finance team.
- Phishing campaigns can erode customer and partner trust.
- Weak domain governance complicates reputation analysis and incident response.
- Multiple marketing, transactional and workplace senders make unauthorized use harder to spot.
DMARC does not solve every deliverability issue. It does provide an important email authentication signal and reporting channel for governing who is allowed to use a domain.
Practical Actions for French Organizations
Improving DMARC protection means treating it as a controlled process: observe, fix, enforce and monitor. SMBs can start without breaking legitimate email if deployment follows evidence from reporting.
- Inventory every legitimate sender using the domain.
- Validate SPF within its technical limits.
- Enable DKIM on each flow able to sign mail.
- Publish a monitoring DMARC policy while the inventory is incomplete.
- Collect and analyze DMARC XML reports.
- Remediate non-aligned or unknown sources.
- Separate marketing, transactional and human flows, including with a sending subdomain when appropriate.
- Progress toward
quarantine, thenreject, once flows are controlled. - Monitor reputation, complaints and delivery failures.
A step-by-step method is available in How to Configure SPF, DKIM and DMARC Without Breaking Email Delivery. Once authentication is in place, Google Postmaster Tools, the guide to spam or Gmail Promotions placement and the SMTP error list help complete operational monitoring.
What Dharmail Recommends
For an SMB, the right goal is not simply to “have DMARC.” It is to operate DMARC in a way that is useful, understood, monitored and gradually enforced: senders are known, reports are read, alignment gaps are repaired and policy reflects controlled business flows.
A monitored p=none policy can be the right first step. It should not become an indefinite default once legitimate sources are identified and aligned.
FAQ
What does full DMARC protection mean?
In the analyzed statistics, full protection means a p=reject policy enforced for 100% of messages with pct=100.
Why can a domain with DMARC still be vulnerable?
A domain can publish DMARC while remaining at p=none, using partial enforcement, publishing an invalid record or leaving legitimate flows unaligned.
What is the difference between p=none, quarantine and reject?
p=none is for monitoring, quarantine asks receivers to treat non-aligned mail as suspicious, and reject asks them to reject it. Enforcement should follow report analysis.
Should a domain move straight to reject?
Usually not. Inventory senders, enable SPF and DKIM, analyze reports and gradually enforce once legitimate flows are understood.
Why do so many domains still have no effective DMARC protection?
DMARC requires visibility over all sending tools and remediation of alignment issues. Environments combining workplace email, marketing, billing and applications take effort to govern.
How do I know whether my domain is protected?
Check the DMARC policy and enforcement percentage, then review reports to confirm that authorized sources align through SPF or DKIM.
What if multiple tools send email for my domain?
Inventory every platform, configure SPF and DKIM where relevant, separate flows with subdomains when useful and monitor DMARC reports before enforcing.
Does DMARC automatically improve deliverability?
No. DMARC primarily reduces spoofing through authentication and alignment; deliverability also depends on reputation, complaints, content and sending practices.
Conclusion
France’s figures show growing awareness, but also a significant remaining gap. Genuine maturity is not achieved by publishing a symbolic record; it comes from managing email authentication over time.
If you need to establish whether your domain is effectively protected, validate SPF/DKIM/DMARC configuration or analyze sending flows, Dharmail can provide a practical, actionable audit. Contact Dharmail to define your current protection level and next steps.
Primary source: DmarcDkim.com, DMARC Adoption in France, May 26, 2026 reference data reproduced according to the snapshot supplied for this article.