Only 44% of the Mid-Atlantic's top organizations block spoofed email

Red Sift analyzed 700 domains belonging to the largest organizations across seven Mid-Atlantic states and the District of Columbia, and found that only 309 (44%) have reached full DMARC enforcement. The Mid-Atlantic is home to the federal government, the nation's second-largest banking center, major defense and intelligence operations, and some of the country's most prominent healthcare systems. Despite that concentration of high-value targets, more than half of the region's top organizations aren't blocking spoofed email. That's a stronger result than the U.S. Northeast (40%), but it's still not where the region should be given its risk profile.

• Only 309 of 700 domains (44%) across seven Mid-Atlantic states have reached DMARC enforcement (p=reject)
• 191 domains (27.3%) run p=none policies that monitor but take no action against spoofed emails
• 136 domains (19.4%) sit at p=quarantine, close to full protection but not finishing the move to reject
• 64 domains (9.1%) have no DMARC record published at all
• Washington D.C. leads the region at 57% enforcement. Maryland trails at 30%

Red Sift analyzed 100 domains from the top organizations in each of seven Mid-Atlantic states and the District of Columbia: Delaware, the District of Columbia, Maryland, North Carolina, Pennsylvania, Virginia, and West Virginia. The results show a region that performs better than the U.S. Northeast but still leaves the majority of its top organizations without full email authentication.

Across all 700 domains, 44% have reached p=reject, the DMARC policy level that actively blocks spoofed emails. That puts the Mid-Atlantic ahead of the Northeast (40%) but well behind New York (73%) in Red Sift's ongoing cross-region comparison.

• Washington D.C (57% at enforcement): D.C. leads the Mid-Atlantic with 57 domains at p=reject. As the seat of the federal government, D.C. has the clearest mandate for email authentication. Federal agencies, lobbying firms, think tanks, trade associations, and nonprofits all operate here, sending email to Congress, regulatory bodies, international organizations, and media outlets daily. 21 domains still run p=none and 20 sit at p=quarantine. Only 2 have no DMARC record, the joint-lowest N/A rate in the study.
• North Carolina (55% at enforcement): North Carolina comes in a close second with 55 domains at p=reject. Charlotte is the country's second-largest banking center. The Research Triangle is a major tech and biotech hub. And the state's healthcare systems are among the largest in the Southeast. That 55% is a strong showing, but 21 domains still run p=none and 20 sit at p=quarantine. Only 4 domains lack a DMARC record entirely.
• Pennsylvania (48% at enforcement): Pennsylvania has 48 domains blocking spoofed email outright, but 27 run p=none and 23 sit at p=quarantine. Only 2 domains have no DMARC record. The state is home to major health systems in Philadelphia and Pittsburgh, a significant financial services presence, energy companies, and several of the country's largest universities. The 23 domains at quarantine represent low-hanging fruit. They've done the DNS work. Moving to reject is a short project, not a new one.
• Virginia (45% at enforcement): Virginia has 45 domains at p=reject. But the gap is weighted toward p=none: 37 domains are monitoring without taking action, one of the highest none counts in the study. Only 16 sit at quarantine and just 2 have no record. Northern Virginia is home to one of the densest clusters of defense contractors and intelligence community operations in the country. AWS's largest data center region runs out of the state. Those 37 domains at p=none are collecting DMARC reports but not acting on them.
• Delaware (40% at enforcement): 40 of Delaware's top 100 domains have reached p=reject, but the state has the second-highest N/A rate in the study at 23. More than a fifth of its top organizations haven't published a DMARC record at all. Delaware is the incorporation state for over 60% of Fortune 500 companies and has a significant financial services and insurance sector. 19 domains run p=none and 18 sit at p=quarantine. The high N/A rate is the standout concern here.
• West Virginia (34% at enforcement): West Virginia has 34 domains at p=reject and the highest N/A rate in the study: 24 domains have no DMARC record at all. 25 run p=none and 17 sit at p=quarantine. The state's energy sector, regional healthcare systems, and state government entities are all operating with limited email authentication. The high N/A rate suggests many organizations haven't started the process at all.
• Maryland (30% at enforcement): Maryland sits at the bottom with 30 domains at p=reject and the highest p=none count in the study at 41. That means 41% of Maryland's top organizations have published a DMARC record that does nothing to stop fraud. 22 sit at p=quarantine and 7 have no record. Maryland is home to Fort Meade, NSA, U.S. Cyber Command, Johns Hopkins, the NIH, and a major biotech corridor. The gap between the state's cybersecurity significance and its email authentication posture is hard to explain.

The 136 organizations sitting at p=quarantine are close. They've done the DNS work, identified their senders, and configured SPF and DKIM. Moving from quarantine to reject typically takes 6 to 8 weeks. That's 136 domains where a short project finishes a job that's mostly complete.

The Mid-Atlantic runs on industries where a spoofed email isn't just a nuisance. It's a national security risk, a compliance violation, or a multimillion-dollar wire fraud.

D.C., Virginia, and Maryland form the core of the country's federal and defense infrastructure. The Pentagon, NSA, U.S. Cyber Command, the intelligence community, and thousands of defense contractors all operate within this corridor. Spoofed emails targeting government agencies or defense supply chains can compromise classified programs, redirect procurement, or create entry points for state-sponsored actors. D.C.'s 57% enforcement rate leads the region, but Maryland's 30% and Virginia's 45% leave significant gaps in the same corridor. DMARC enforcement stops the impersonation before it reaches the inbox.

North Carolina's banking sector manages trillions in assets. Wire transfer instructions, account verifications, and regulatory filings all travel by email. The FBI's IC3 reported $2.77 billion in BEC losses in 2024, and nearly $8.5 billion lost between 2022 and 2024 combined. A spoofed email from a bank to a corporate treasury team can move seven-figure sums before anyone notices. DMARC enforcement is the first line of defense against that kind of fraud.

Pennsylvania and Maryland are home to some of the country's largest hospital networks, research institutions, and biotech companies. Johns Hopkins, Penn Medicine, UPMC, and the NIH all operate here. Patient data, clinical trial coordination, insurance claims, and referral networks all travel by email. A spoofed hospital domain can compromise protected health information, trigger HIPAA investigations, and erode patient trust. West Virginia's regional healthcare systems face the same exposure with smaller security teams to manage it.

Google and Yahoo began requiring DMARC for bulk senders in February 2024. Microsoft followed in May 2025. As of late 2025, Google now issues permanent rejection errors for non-compliant messages. For Mid-Atlantic organizations sending wire transfer confirmations, patient communications, government correspondence, or procurement updates, a missing or weak DMARC policy means those messages may never arrive.

PCI DSS 4.0.1 mandates DMARC for organizations handling payment card data. NIS2 applies to any Mid-Atlantic firm with EU operations or clients. Cyber insurers are tightening requirements, with some excluding BEC payouts for organizations that lack basic email authentication. For the region's defense contractors, these requirements overlap with CMMC and NIST frameworks that already recommend DMARC as a baseline control. Delaware's concentration of incorporated entities means compliance failures can ripple across parent companies nationwide.

Mid-Atlantic organizations face a unique mix of pressure: federal compliance mandates, defense supply chain requirements, financial regulation, and healthcare privacy standards. Red Sift OnDMARC is built for that complexity.

• Enforcement in 6 to 8 weeks: Manual DMARC projects average around 32 weeks. OnDMARC cuts that to 6 to 8 weeks by automating source identification, SPF and DKIM configuration, and enforcement readiness checks. For the 136 Mid-Atlantic organizations sitting at p=quarantine, the final step to reject could be measured in weeks, not months.
• Dynamic SPF for complex sender lists: Mid-Atlantic organizations tend to have long lists of authorized email senders: government communication platforms, patient portals, defense contractor systems, financial compliance tools, CRM platforms, and more. SPF records have a hard limit of 10 DNS lookups, and complex organizations blow past that quickly. Red Sift's Dynamic SPF manages this automatically, keeping authentication valid without manual record management.
• Clear reporting across every domain: OnDMARC converts raw DMARC aggregate and forensic reports into a dashboard that shows every service sending email on behalf of your domains. Security and compliance teams get immediate visibility into what's authorized, what's failing authentication, and what needs fixing. No XML parsing. No guesswork.
• Continuous monitoring for regulated industries: Healthcare, financial services, defense, and government organizations all face ongoing audit and compliance requirements. OnDMARC provides continuous monitoring and alerting, so enforcement holds even as new senders are added, domains change hands, or infrastructure evolves through mergers and acquisitions.

44% enforcement across the Mid-Atlantic is a stronger starting point than the Northeast (40%), but it's not where the region should be. D.C.'s 57% and North Carolina's 55% show the path works. Maryland's 30% shows how far some states still need to go. For the 391 organizations that haven't reached full enforcement, Red Sift OnDMARC can close the gap between the region's risk exposure and its current email security posture.