---
title: "9 Reasons Why Companies Resist Implementing DMARC | DMARC Report"
description: "DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header."
image: "https://dmarcreport.com/og/blog/9-reasons-why-companies-resist-implementing-dmarc.png"
canonical: "https://dmarcreport.com/blog/9-reasons-why-companies-resist-implementing-dmarc/"
---

Quick Answer

DMARC (Domain-based Message Authentication Reporting and Conformance) has been in the frame of email security since 2013, and still, a wide range of companies and organizations haven’t adopted it. As per a survey, the SaaS 1000 sector has the best \[DMARC adoption\](https://dmarcreport.com/blog/dmarc-adoption-amongst-us-education-sector/), which is \[46%\](https://webinarcare.com/best-dmarc-software/dmarc-statistics/#DMARCAdoptionStatistics). It’s not even 50%, and mind you, we are talking about the sector with the highest adoption rate!

Related: [Free DMARC Checker](/tools/dmarc-checker/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2F9-reasons-why-companies-resist-implementing-dmarc%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=9%20Reasons%20Why%20Companies%20Resist%20Implementing%20DMARC&url=undefined%2Fblog%2F9-reasons-why-companies-resist-implementing-dmarc%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2F9-reasons-why-companies-resist-implementing-dmarc%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2F9-reasons-why-companies-resist-implementing-dmarc%2F&title=9%20Reasons%20Why%20Companies%20Resist%20Implementing%20DMARC "Share on Reddit") [ ](mailto:?subject=9%20Reasons%20Why%20Companies%20Resist%20Implementing%20DMARC&body=Check out this article: undefined%2Fblog%2F9-reasons-why-companies-resist-implementing-dmarc%2F "Share via Email") 

![9 Reasons Why Companies Resist Implementing DMARC](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) 

## Try Our Free DMARC Checker

Validate your DMARC policy, check alignment settings, and verify reporting configuration.

[ Check DMARC Record → ](/tools/dmarc-checker/) 

DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible `From` header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least `p=none` is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC (Domain-based Message Authentication Reporting and Conformance) has been in the frame of email security since 2013, and still, a wide range of companies and organizations haven’t adopted it. As per a survey, the SaaS 1000 sector has the best [DMARC adoption](https://dmarcreport.com/blog/dmarc-adoption-amongst-us-education-sector/), which is [46%](https://webinarcare.com/best-dmarc-software/dmarc-statistics/#DMARC%5FAdoption%5FStatistics). It’s not even 50%, and mind you, we are talking about the sector with the **highest adoption rate**!

> The most common mistake we see during DMARC setup is jumping straight to p=reject without monitoring first, says Vasile Diaconu, Operations Lead at DuoCircle. Start at p=none, analyze your reports for at least a full quarter - you need to catch monthly, quarterly, and annual email senders that only fire periodically. Then fix any legitimate senders that fail before enforcing. We walk every customer through this sequence.

The situation is worse in the **legislative and judiciary branches**, with [17.3% and 13% ](https://webinarcare.com/best-dmarc-software/dmarc-statistics/#DMARC%5FAdoption%5FStatistics)adoption rates, respectively.

On speaking with some **cross-industry giants**, we came across the following reasons that have been impeding them from [implementing DMARC](https://dmarcreport.com/blog/real-world-case-studies-of-brands-successfully-implementing-dmarc-dkim-and-spf/) even in 2023.

## Why Companies Aren’t Sure to Implement DKIM?

DMARC works in accordance with [SPF (Sender Policy Framework)](https://dmarcreport.com/what-is-spf/) and DKIM (DomainKeys Identified Mail) to protect your domains and subdomains from email spoofing and phishing. This subsequently shields your reputation and the flow of the sales funnel while keeping you and the email receivers away from [ransomware attacks](https://economictimes.indiatimes.com/tech/technology/indias-security-landscape-under-attack-as-ransomware-malware-threats-spike-report/articleshow/104313656.cms) and legislation. In case of a data breach, GDPR and other bodies impose hefty fines due to your lack of securing and **handling sensitive customer data**/content in the desired way.

As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.

![Dmarc check](https://media.mailhop.org/dmarcreport/images/2023/10/dmarc-check-6.jpg) 

However, companies are still dubious about its deployment, primarily because of these reasons-

## 1\. Fear of Disrupting Email Delivery

DMARC instructs recipients’ servers on what actions to take against \*\*illegitimate email messages sent from your organization’s domain. You can choose one of the three [DMARC policies](https://dmarcreport.com/dmarc-policy/): none, quarantine, and reject.

Setting the strictest policy, that is p=reject, offers the best protection against \*\*malicious email senders trying to send phishing and [spoofing emails](https://timesofindia.indiatimes.com/city/pune/crooks-use-email-spoofing-to-cheat-firm-of-rs-27-8-lakh/articleshow/80522115.cms) in your company’s name. However, at times, the reject policy mentioned in the DMARC DNS record is implemented to genuine email conversations, resulting in the bouncing back of important messages.

_This disturbs the flow and quality of email delivery and communication, which consequently impacts operations at various levels_. In some cases, even your \*\*brand’s reputation gets hit since the desired recipient didn’t receive the email message pertaining to customer support, order status, billing, updates to stakeholders, pitch decks, etc.

## Solution:

Don’t be in haste to shift to the strictest policy. Let your [DMARC record](https://dmarcreport.com/blog/how-to-create-dmarc-record-stop-email-spoofing-domain/) be set to the p=quarantine policy till you are confident. Confidence comes from \*\*regular DMARC monitoring through [RUF and RUA reports](https://dmarcreport.com/dmarc-forensic-report/) to evaluate the rate of false positives.

## 2\. Resource Constraints

For smaller organizations or those with limited IT resources, the prospect of implementing DMARC can be daunting. DMARC requires a coordinated effort across different teams, including IT, security, and marketing, and may involve changes to email systems and [DNS records](https://www.cloudflare.com/learning/dns/dns-records/#:~:text=What%20is%20a%20DNS%20record,handle%20requests%20for%20that%20domain.) (domain name system records). Resource constraints, both in terms of personnel and budget, can make \*\*DMARC implementation appear impractical.

## Solution\*\*:\*\* You can outsource the task to agencies specialized in [DMARC monitoring](https://dmarcreport.com/use-dmarcreports-to-monitor-your-domains/) and troubleshooting. Some reputed names include [DuoCircle](https://www.duocircle.com/), a stop platform for message authentication through SPF and **DMARC services**.

## 3\. Perceived Complexity

DMARC is a **fairly complex protocol**, and this fact overwhelms and discourages companies from linking it to their email infrastructures.

## Solution:

It’s suggested to give the responsibility to a DMARC service provider .

## 4\. Resistance to Change

_Resistance to change is the common barrier to the implementation of any new technology_. Companies are comfortable with their current operational and **security architecture**, but little do they realize the limitations and [vulnerabilities](https://www.upguard.com/blog/vulnerability) associated with outdated systems and technologies.

## Solution:

Talk to company owners who have already been using [DMARC](https://dmarcreport.com/) for some time so that you gain some confidence, even if it comes with a **pinch of skepticism**. Also, plan a proper flow for its deployment across your email infrastructure.

## 5\. False Positives for Marketing Emails

False positives for marketing emails cause them to either [bounce back](https://snov.io/blog/email-bounce-back/) or land in spam folders, neither of which are desirable from a **marketing perspective**. _This significantly drops the chances that recipients would engage with your messages, thus impacting the marketing ROI_.

Moreover, emails sent using @yahoo.com, @aol.com, and @gmail.com fail DMARC authentication checks and hit the deliverability rate.

## Solution:

You can resolve this by using your custom domain to send marketing emails. This can be followed by implementing [BIMI](https://dmarcreport.com/blog/the-role-of-bimi-in-the-fight-against-email-fraud-and-scam/) in addition to DMARC so that a trademarked logo shows up next to emails sent by you. These authentication methods \*\*boost engagement and validation rates for the domain owner.

## 6\. Staff Engaging in Shadow IT Expresses Disapproval of DMARC

Shadow IT is the practice of using tools, services, and devices that the company hasn’t **sanctioned officially**.\_ Employees use them discreetly to make their work easy and speedy whilst boosting innovation and productivity\_. On the other side, [shadow IT isn’t secured and often acts as a gateway for hackers](https://www.openaccessgovernment.org/organisations-risk-shadow-it-security-threat/160467/).

Implementing DMARC enables you to \*\*detect the presence of such tools and even identify the individuals utilizing them. This is why employees engaged in \*\*shadow IT exhibit hesitation when it comes to complying with DMARC.

## Solution:

\*\*Eliminate the use of shadow IT implied in any form.

## 7\. Trouble in Overcoming the SPF DNS Lookup Limit

DMARC works on the basis of SPF and [DKIM](https://dmarcreport.com/what-is-dkim/) results. There’s a limitation of a maximum of 10 [DNS lookups](https://dmarcreport.com/blog/fix-spf-permerror-overcome-too-many-dns-lookups/), and exceeding this causes your SPF record to go invalid, which consequently affects DMARC. Companies with an extensive \*\*email infrastructure find it challenging to stay within this limit.

## Solution:

Use [AutoSPF](https://autospf.com/)’s services to automatically compress your [SPF record](https://dmarcreport.com/blog/spf-format-checker-dos-and-donts-for-email-authentication/) and eliminate the need for multiple and **frequent lookups**. It works by replacing IP addresses with the corresponding domain names.

## 8\. Global Compliance Challenges

Cross-country data storage and [email authentication](https://dmarcreport.com/blog/spf-vs-dkim-vs-dmarc-difference-explained-2026/) come with global compliance challenges. If your workplace is located in Europe, adhering to [GDPR](https://en.wikipedia.org/wiki/General%5FData%5FProtection%5FRegulation), the most stringent global privacy and security regulation, is mandatory. _Furthermore, numerous European private and public entities are cautious about transferring data abroad_. Under GDPR’s privacy guidelines, even \*\*IP addresses are classified as personally identifiable information (PII).

![Dmarc check](https://media.mailhop.org/dmarcreport/images/2023/10/dmarc-check-1790.jpg) 

## Solution:

Start receiving [DMARC reports](https://dmarcreport.com/blog/how-to-read-dmarc-reports-guide-2026/) for domains and subdomains as per the regions where your emails are restricted.

## 9\. DMARC Report Interpretation Challenge

DMARC reports can be challenging to interpret due to **technical complexity**, varying report formats, large data volumes, and a lack of context. Additionally, incomplete or inconsistent data, the [evolving threat landscape](https://www.linkedin.com/pulse/evolving-threat-landscape-deep-dive-modern-andy-longhurst), and a shortage of \*\*user-friendly tools can make it difficult for organizations to derive actionable insights. Expertise in [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) and authentication results is often required to make sense of DMARC reports effectively.

## Solution:

Use [online tools](https://dmarcreport.com/features/) that convert these reports into an **easy-to-comprehend format**. DMARCReport’s full-featured API not only allows you to provision accounts but also to pull stats and reports into your own applications.

## Overcoming Resistance to DMARC Implementation

While these reasons for resistance are valid, they should not deter organizations from implementing DMARC for their email server. The benefits of DMARC, including \*\*enhanced email security and [protection from phishing](https://dmarcreport.com/blog/unlocking-the-power-of-dmarc-shielding-you-and-your-customers-from-phishing-attacks/) attacks, far outweigh the initial challenges. You can also [reach out to us](https://dmarcreport.com/book-a-demo/) to seek professional guidance and make the process easier.

## Sources

- [CISA Binding Operational Directive 18-01](https://www.cisa.gov/news-events/directives/bod-18-01)
- [Microsoft Outlook DMARC Enforcement May 2025](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) (2025)
- [PCI DSS v4.0 - DMARC Requirement](https://www.pcisecuritystandards.org/) (2025)
- [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489)

## Topics

[ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/) 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Foundational 8m  10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective  Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[  Foundational 12m  10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast  Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[  Foundational 12m  10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection  Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[  Foundational 12m  10 Reasons SPF Filtering Is Critical For Email Security  Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"9 Reasons Why Companies Resist Implementing DMARC","description":"DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header.","url":"https://dmarcreport.com/blog/9-reasons-why-companies-resist-implementing-dmarc/","datePublished":"2023-10-30T10:47:51.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2023-10-30T10:47:51.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/9-reasons-why-companies-resist-implementing-dmarc/"},"articleSection":"foundational","keywords":"dkim, DMARC, email security","wordCount":1249,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"9 Reasons Why Companies Resist Implementing DMARC","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"9 Reasons Why Companies Resist Implementing DMARC","item":"https://dmarcreport.com/blog/9-reasons-why-companies-resist-implementing-dmarc/"}]}
```