Over a quarter of New York's top organizations still exposed to email spoofing

Executive summary: Red Sift's analysis of 99 domains belonging to New York's largest organizations shows that while the city leads on DMARC adoption with 72.7% at enforcement, 27 domains (27.3%) still lack full protection. In a city that serves as the global hub for finance, media, and commerce, even a minority of unprotected domains creates outsized risk for the supply chains and client networks that depend on them.

Key takeaways:

• 72 domains (72.7%) have reached DMARC enforcement (p=reject), the highest rate Red Sift has recorded across major US city analyses
• 15 domains (15.2%) sit at quarantine, with spoofed emails flagged but not blocked
• 12 domains (12.1%) have no effective DMARC protection, running p=none or no record at all
• BEC attacks surged 37% between May and June 2025, and the FBI reported $2.77 billion in BEC losses for 2024

New York's top organizations are ahead of the curve on DMARC. That's the good news. 72 out of 99 domains analyzed (72.7%) have reached p=reject, the policy level that actively blocks spoofed emails from reaching inboxes. For context, Red Sift's recent analysis of Boston's top organizations found just 50.5% at enforcement. New York's rate is significantly stronger.

But "ahead of the curve" doesn't mean "done."

27 domains belonging to New York's largest organizations still haven't reached enforcement. That's more than one in four. In a city where a single organization's email domain can touch thousands of clients, partners, vendors, and regulators daily, those 27 gaps carry weight.

Here's how the 27 unprotected domains break down. 15 are at p=quarantine, meaning spoofed emails get flagged and routed to spam but aren't outright rejected. An attacker's message might still reach someone who checks their junk folder or has a permissive spam filter. 11 domains are running p=none, which collects authentication data but takes zero action against fraudulent emails. And 1 domain has no DMARC record at all.

The organizations at quarantine are close. They've done the technical groundwork. Moving from quarantine to reject typically takes 6 to 8 weeks with the right tooling. For the 12 domains with no meaningful protection, the exposure is real and the fix is straightforward.

New York isn't just any city. It's the financial capital of the world, home to the country's largest media companies, and the operational headquarters for global enterprises across every sector. That concentration of high-value targets makes DMARC protection here uniquely important.

New York's banking, insurance, and investment firms process trillions in transactions that begin with, or are confirmed by, email. BEC attacks exploit exactly this. The FBI's IC3 reported $2.77 billion in BEC losses in 2024, with nearly $8.5 billion lost to BEC between 2022 and 2024 combined. Financial services firms are the most targeted, with median losses around $125,000 per incident. A single unprotected domain at a New York financial institution can become the entry point for an impersonation attack that ripples across its entire client base.

Google, Yahoo, and Microsoft all require DMARC for bulk email senders. As of late 2025, Google issues permanent rejection errors (550 codes) for non-compliant messages. These three providers handle over 80% of global email. For New York organizations sending client updates, marketing campaigns, invoices, or compliance notices, a weak DMARC policy doesn't just create a security gap. It creates a deliverability gap. Emails that used to land in inboxes now bounce or hit spam.

PCI DSS 4.0.1 requires DMARC for organizations handling payment card data. NIS2 pushes similar requirements across the EU, relevant for any New York firm with European operations or clients. Cyber insurance underwriters are increasingly requiring DMARC enforcement as a condition of coverage, and some are excluding BEC payouts entirely for organizations that haven't met basic authentication standards.

New York organizations don't operate in isolation. They sit at the center of supply chains that span thousands of vendors, partners, and clients. When one organization's domain is spoofable, every business in its network is at risk. An attacker doesn't need to compromise your systems. They just need to send an email that looks like it came from you. For the 27 New York domains without enforcement, their exposure extends far beyond their own walls.

New York's top organizations run complex email environments. Multiple domains, dozens of third-party senders, global operations, and fast-moving M&A activity that constantly changes the email landscape. Red Sift OnDMARC is built for exactly this.

Manual DMARC implementation averages around 32 weeks. Red Sift OnDMARC gets organizations to p=reject in 6 to 8 weeks. For the 15 New York domains currently at quarantine, the move to enforcement could be completed in a matter of weeks, not quarters.

New York enterprises typically use a long list of third-party email services: marketing platforms, CRMs, billing systems, HR tools, and more. Each one adds to the SPF record, and SPF has a hard limit of 10 DNS lookups. Red Sift's Dynamic SPF technology manages this constraint automatically, keeping authentication valid as your sending infrastructure evolves.

OnDMARC turns raw DMARC aggregate and forensic reports into a clear, actionable dashboard. Security teams can see every service sending on behalf of their domains, whether it's authorized, and whether it's passing authentication. For organizations managing dozens of domains and subdomains, this visibility is the difference between guessing and knowing.

Reaching p=reject isn't a one-time project. New sending services get added. Acquisitions bring new domains. Configurations drift over time. OnDMARC provides continuous monitoring so your enforcement posture holds, even as your email ecosystem changes.

New York's 72.7% enforcement rate shows what's possible. For the 27 organizations that haven't finished the job, the path is clear and the tools exist to get there fast.