People often wonder which organizations are using DMARC. Sometimes consumers want to know if the companies they entrust with their information are helping to protect them from email fraud. In other cases, employees want to know because it’s easier to justify implementing DMARC at their company if other, well-known companies are already using it.

The following list provides a manual sampling of notable organizations that have published a DMARC policy. It is a very small subset of all published DMARC records, and may not include every well known company that is currently using DMARC. These records are visible to any Internet user – several lookup tools you can use are listed here.

Organizations/domains that have moved from one category to another during 2016 are shown in italics.

Domains gathering reports (DMARC policy “p=none”)
  • Aflac (aflac.com)
  • Apple (apple.com)
  • Belgacom / Proximus (proximus.be)
  • Blue Shield of California (blueshieldca.com)
  • Cars.com
  • Cisco Systems (cisco.com)
  • Costco (costco.com)
  • Craigslist (craigslist.org, craigslist.com)
  • Dell Computers (dell.com)
  • Delta Airlines (delta.com)
  • Discover Financial (discover.com; see also following section)
  • eSurance (esurance.com)
  • Expedia (expedia.com)
  • Glaxo Smith Kline (gsk.com)
  • Go Daddy (godaddy.com)
  • H&M (hm.com)
  • HGTV (hgtv.com)
  • IRS (irs.gov)
  • Kaiser Permanente (kp.org, kaiserpermanente.org)
  • KievNet (kievnet.ua)
  • Kroger Supermarkets (kroger.com)
  • Rackspace (emailsrvr.com hosted email)
  • SalesForce (salesforce.com)
  • US House of Representatives (house.gov)
  • Vail Resorts (vailresorts.com)
  • Virgin Media (virginmedia.com)
  • Westfield Malls (westfield.com)
  • Whirlpool Appliances (whirlpool.com)
  • Wikipedia (wikipedia.org, wikipedia.com)
Domains requesting that messages which fail authentication be sent to the Spam or Junk folder (DMARC policy “p=quarantine”):
  • Amazon (amazon.com)  ²
  • Bank of America (baml.com, bankofamerica.com, ml.com) ¹
  • Discover Financial (discovercard.com; see also previous section)
  • Dropbox (dropbox.com)
  • Fidelity (fidelity.com)  ¹
  • Kickstarter (kickstarter.com)
  • Southwest Airlines (southwest.com)
  • Square (square.com)
  • Uber (uber.com)
  • VISA (visa.com)
  • Walmart (wal-mart.com, walmart.com)
  • WiX (wix.com)
Domains requesting that messages which fail authentication not be accepted at all (DMARC policy “p=reject”):
  • ADP (adp.com)
  • Aetna (aetna.com)
  • Air BnB (airbnb.com)
  • American Express (americanexpress.com, aexp.com)
  • American Greetings (americangreetings.com)  ¹ ²
  • Apple Music (applemusic.com)
  • Box (box.com)
  • British Airways (britishairways.com)
  • Chase Bank (chase.com, jpmchase.com)  ¹ ²
  • Citibank (citibank.com)
  • DHL (dhl.com)
  • Evernote (evernote.com)
  • Facebook (facebook.com)  ¹
  • FedEx (fedex.com)
  • The Gap (gap.com)
  • GroupOn (groupon.com)
  • Instagram (instagram.com)
  • LinkedIn (linkedin.com)  ¹ ²
  • Old Navy (oldnavy.com)
  • PayPal (paypal.com)  ¹ ² ³
  • Pinterest (pinterest.com)
  • Publishers Clearinghouse (pch.com)
  • Rolling Stone (mail.rollingstone.com)
  • Squarespace (squarespace.com)
  • Twitter (twitter.com)
  • United Parcel Service (ups.com)
  • US Federal Trade Commission (ftc.gov)
  • US Senate (senate.gov)
  • US Postal Service (usps.gov)
  • USAA (usaa.com)
  • Wachovia Bank (wachovia.com)
  • Wells Fargo (wellsfargo.com)
  • WhatsApp (whatsapp.com)

 

Notes:
¹  Organizations involved in creating the DMARC standard
²  Organizations participating in DMARC.org
³  Organizations providing financial support to DMARC.org