Aotearoa New Zealand government mandates around DMARC are forcing agencies to act, but the struggle to enforce reject is hardly limited to the public sector. In my own work with medium and large enterprises, I have seen the same hesitation: once enforcement disrupts mail flow with partners or vendors, it is quickly rolled back. Proofpoint’s figure that only 25% of organisations enforce reject mirrors what I’ve observed in the field. The technology is straightforward, but the organisational tolerance for disruption is not.