What is DMARC enforcement and why does it matter?

DMARC enforcement means setting your policy to quarantine or reject, which tells receiving mail servers to block or spam-folder emails that fail authentication. Without enforcement (policy=none or no DMARC), anyone can send email pretending to be from your domain.

How were YC W26 companies graded on email security?

Each company was graded based on their email auth triad: SPF, DKIM, and DMARC. Grade A requires all three present with DMARC enforcing. Grade B means all three present but DMARC not enforcing. C is missing one record, D is missing two, and F is missing all three or has critical failures.

How do I check my own domain's email security grade?

Run npx mail-audit yourdomain.com in your terminal. It's free and open source, checking SPF, DKIM, DMARC, MX records, blacklists, and more. You'll get a letter grade and specific recommendations.

We Graded 200 YC W26 Companies on Email Security

23%

Got an A

Full auth triad enforcing

70%

No DMARC enforcement

Domain can be spoofed

51%

Missing records

Graded C, D, or F

12%

Zero auth

No SPF, DKIM, or DMARC

How we graded

No curve. No bonus points. Either you have SPF, DKIM, and DMARC configured and enforcing, or you don't.

Grade	What it means
A	SPF + DKIM + DMARC enforcing (quarantine or reject)
B	All three records present, but DMARC not enforcing (policy=none)
C	Missing one of the three core records
D	Missing two of the three core records
F	Missing all three, or critical failure like SPF +all

The results

200 domains scanned. 6 days after Demo Day. These companies are actively emailing investors, customers, and partners.

45 companies (23%)SPF + DKIM + DMARC enforcing

54 companies (27%)All present, not enforcing

38 companies (19%)Missing one record

40 companies (20%)Missing two records

23 companies (12%)No auth or critical failure

89% use Google Workspace

Google makes DKIM and DMARC setup easy. A few clicks in the Admin console, two DNS records, done.

Most just never turned it on.

DMARC policy breakdown

DMARC tells receiving servers what to do with emails that fail authentication. Without it, or with policy=none, spoofed emails get delivered like normal.

Policy	Count	%
No DMARC record	75	38%
p=none (monitor only)	64	32%
p=quarantine	45	23%
p=reject (full enforcement)	16	8%

Your DMARC Policy is Useless

Why policy=none provides zero protection, and how to get to reject.

So what?

Without DMARC enforcement, a spoofed email from your domain won't get blocked by the receiving server. It might still land in spam depending on the provider's own heuristics, but there's no policy telling it to reject. That's the gap.

The less obvious cost is to your own deliverability. Google and Yahoo now factor DMARC, DKIM, and SPF into inbox placement decisions. A domain with no enforcement doesn't just fail to block spoofing. It also makes your real emails look less trustworthy.

Check your grade

Free and open source. Same grading system used in this audit.

Methodology

Tool: npx mail-audit (open source, public DNS queries only)

Source: YC W26 batch via ycombinator.com and extruct.ai (200 domains)

Date: March 30, 2026 (6 days after Demo Day)

Grading: Auth triad-based. A = all 3 + DMARC enforcing. B = all 3 present. C = missing 1. D = missing 2. F = missing all.

Flags: --quick --skip-blacklists --skip-tls for batch speed. Full audits check additional signals.

Valid results: 200/200 (100%)