Domains listed here lack proper enforcement (no DMARC policy or set to p=none). While p=none can be used temporarily for monitoring, it should not be a permanent configuration.

Even domains that do not send email should implement DMARC with a policy of p=reject and be properly parked. For example, use v=spf1 -all to ensure no IP address is authorized to send email. Follow official guidance: Protecting parked domains (NCSC) .

Note: Companies or entities listed here may have valid DMARC policies on other domains.

Additional note: If your organization uses Microsoft Entra / Microsoft 365, you should also configure DMARC for your .onmicrosoft.com domain. Learn more: DKIM & DMARC for onmicrosoft.com domains . This list does not include .onmicrosoft.com domains.

Contribute to this project: DMARC Wall of Shame (GitHub)