Building an email and brand defense that works: Webinar recap

Email is the most trusted communication channel for most organizations, and it’s also the most abused. Attackers aren't just exploiting email anymore, either. They're registering lookalike domains, hijacking forgotten subdomains, setting up fake executive profiles on LinkedIn, and using all three together to run attacks that bypass technical controls entirely.

In our latest webinar, Red Sift's Natalie Hays and Billy McKenna broke down what a real defense looks like in 2026, from getting to DMARC enforcement to protecting your brand across every channel attackers are actually using.

• 93% of the world’s domains are still open to spoofing because they don’t have DMARC set to quarantine or reject
• Just 1% of US financial services and insurance organizations studied are using all available email authentication protocols
• DMARC enforcement blocks exact domain spoofing, but attackers have adapted. Lookalike domains, DNS takeovers, and social media impersonation require a broader defense
• A practical defense model moves in stages: get visibility first, configure sending sources, enforce, then extend to lookalike and social monitoring

One in four emails sent in 2025 was malicious or spammy, and it’s easy to see why. People check their email inbox constantly and tend to trust the information found there reflexively.

When a domain is unprotected, attackers can craft something that looks completely legitimate. Not a suspicious Yahoo address or obvious misspelling. Something that passes a quick scan from someone who’s received your real emails before. Add in the fact that AI tools have dramatically lowered the cost and effort required to produce convincing phishing content, and the volume and quality of attacks are both going up.

Look, we know mandates work. When Google, Yahoo, and Microsoft implemented their authentication requirements, it drove real progress in DMARC adoption from just 8 million domains reporting to roughly 15 million in 18 months. 

But having a DMARC record and having a DMARC policy that actually does something are different things. 93% of domains globally are still open to exploitation because they’re not at p=quarantine or p=reject. A record set to p=none gives you reporting visibility, but does nothing to stop an attacker from spoofing your domain.

The financial sector is a useful lens here. In a study of 1,385 US financial services and insurance organizations, only 1% use all available authentication protocols. Nearly 500 have reached p=reject and consider the job done. It isn’t. Another 549 are at p=quarantine, which only partially protects them. And around 28% have broken SPF or other foundational misconfigurations that make spoofing straightforward.

These are banks, insurers, and payment processors. As Billy put it: “If they’re not taking email security seriously, are they taking the rest of their security seriously? It really is an indicator.”

Enforcement protects you from exact domain spoofing, but attackers aren’t stopping there.

DNS weaknesses and subdomain takeovers. In early 2024, SubdoMailing showed just how easy it is to exploit stale DNS configurations. Attackers found expired domains that still appeared in organizations’ SPF records, registered those domains, and used them to send email that technically passed DMARC checks.

Lookalike domains. DMARC can’t stop someone from registering a mispelled domain and building a convincing phishing portal. 59% of phishing attacks use lookalike domains. The variants range from exact brand matches in a different TLS, your brand name embedded in a subdomain, to typosquats that most people skim over.

Social media impersonation. Based on an analysis of the top 10,000 websites, nearly 3,000 brands had more than 1.3 million social media accounts using their names across X, Instagram, Telegram, and YouTube. Of those, nearly 9,500 accounts were actively impersonating 1,700 brands using their official logos.

These three vectors are often used together: a fake executive LinkedIn profile builds credibility, an urgent message points to a lookalike domain, and the target submits credentials. That’s all it takes for the attacker to get account access and begin executing business email compromise.

Natalie walked through a practical progression for teams at different starting points.

Start with visibility. Set DMARC to p=none and get a complete picture of everything sending on your behalf. Marketing platforms, HR systems, finance tools, third-party services. This step doesn’t affect mail flow.

Configure your sending sources. Make sure SPF and DKIM are correct across all of them before moving to enforcement. Skipping this step is why implementations break things.

Move to enforcement. Once sending sources are setup, push to p=quarantine, and then to p=reject. Once done, you’ll start blocking spoofed email.

Extend beyond email. This means continuous DNS monitoring to catch stale records before attackers do, proactive lookalike domain detection, and social media monitoring for fake brand and executive profiles.

If you want to see where your domain stands right now, run a free scan through Red Sift Investigate. It takes two minutes and shows you what's configured, what's missing, and where the gaps are.