61% of Southeast U.S. organizations are unprotected against phishing attacks

Red Sift analyzed 600 domains belonging to the largest organizations across six Southeast states, and found that only 236 (39%) have reached full DMARC enforcement. This is the seventh and final installment in Red Sift's regional analysis of U.S. DMARC adoption, and the Southeast lands squarely in the middle of the pack. The region is the country's manufacturing and logistics engine, home to the busiest airport in the world, the largest cargo hub in the Western Hemisphere, a cluster of automotive plants, and the payment networks that process much of the nation's card spending. Despite that, 61% of the region's top organizations aren't blocking spoofed email. Similar research on other regions by Red Sift includes the Northeast (35%), Mid-Atlantic (44%), Southwest (40%), Heartland (36%), North Central (41%), and Northwest (31%) states.

• Only 236 of 600 domains (39%) across six Southeast states have reached DMARC enforcement (p=reject), placing the region mid-pack among the seven Red Sift has studied
• 157 domains (26.2%) run p=none policies that monitor but take no action against spoofed emails
• 145 domains (24.2%) sit at p=quarantine, close to full protection but not finishing the move to reject
• 62 domains (10.3%) have no DMARC record published at all
• Georgia and Tennessee co-lead at 45% enforcement. Mississippi and South Carolina trail at 35%. Florida holds the highest quarantine count in the study at 32

Red Sift analyzed 100 domains from the top organizations in each of six Southeast states: Alabama, Florida, Georgia, Mississippi, South Carolina, and Tennessee. At 39% enforcement, the region sits ahead of the Northeast (35%), Heartland (36%), and Northwest (31%), and behind the Mid-Atlantic (44%), North Central (41%), and Southwest (40%). It is the picture of an average American region: most organizations have started, few have finished.

The headline number hides a familiar problem. While 39% have reached p=reject, another 50% of the region's domains are split between p=none and p=quarantine, published but not protecting. These are organizations that have done the setup work and stopped before the policy that actually blocks spoofed mail. Only 10.3% have no DMARC record at all, the second-lowest no-record rate in the series, which tells us the Southeast's issue is not awareness. It is follow-through.

The spread between states is narrow. Georgia and Tennessee top the region at 45%, Florida sits at 40%, and Alabama, Mississippi, and South Carolina cluster between 35% and 36%. No state is failing outright, and none has pulled clear of the pack.

• Georgia (45% at enforcement): Georgia co-leads the region with 45 domains at p=reject and the lowest no-record rate in the study at 7. Atlanta anchors one of the strongest corporate economies in the South, home to Coca-Cola, Delta Air Lines, The Home Depot, UPS, and Southern Company, alongside the world's busiest airport and the fast-growing Port of Savannah. Georgia also processes a large share of the country's electronic payments through the cluster of fintech firms known as Transaction Alley. 28 domains run p=none, 20 sit at p=quarantine, and only 7 have no record. For a state that handles a major portion of U.S. card transactions, strong authentication is table stakes, and Georgia leads by example, though 55% of its top organizations still haven't reached enforcement.
• Tennessee (45% at enforcement): Tennessee ties Georgia at the top with 45 domains at p=reject. The state hosts FedEx's global hub in Memphis, one of the largest cargo operations in the world, Nashville's healthcare headquarters cluster led by HCA Healthcare, a growing automotive manufacturing base spanning Nissan, Volkswagen, and GM, and Oak Ridge National Laboratory, a flagship Department of Energy research site. 26 domains run p=none, 20 sit at p=quarantine, and 9 have no record. A logistics and healthcare hub of this scale moving the remaining 55% to enforcement would meaningfully harden the region.
• Florida (40% at enforcement): Florida has 40 domains at p=reject and the highest quarantine count in the study at 32. Its economy spans tourism, banking and finance, real estate, healthcare, agriculture, and a booming commercial space sector around Kennedy Space Center and Cape Canaveral, and it hosts U.S. Central Command and Special Operations Command at MacDill Air Force Base. 19 domains run p=none, 32 sit at p=quarantine, and 9 have no record. Those 32 quarantine domains are the story of the state. If Florida moved them to reject, its enforcement rate would jump from 40% to 72%, the highest of any state in the series outside New York.
• Alabama (36% at enforcement): Alabama has 36 domains at p=reject. Huntsville has become one of the country's densest aerospace and defense clusters, home to NASA's Marshall Space Flight Center, Redstone Arsenal, and a major FBI campus, while the state's automotive plants for Mercedes-Benz, Honda, Hyundai, and Toyota and the Port of Mobile drive manufacturing and trade. 29 domains run p=none, 26 sit at p=quarantine, and 9 have no record. The 26 quarantine domains are within reach of enforcement.
• Mississippi (35% at enforcement): Mississippi has 35 domains at p=reject and the highest no-record rate in the study at 17. The state's economy runs on agriculture, manufacturing, energy, and shipbuilding, with Ingalls Shipbuilding in Pascagoula building warships for the U.S. Navy. 26 domains run p=none, 22 sit at p=quarantine, and 17 have no record. For a state with a major naval shipbuilding presence, 17% of its top organizations carrying no DMARC record at all is the clearest gap in the region.
• South Carolina (35% at enforcement): South Carolina has 35 domains at p=reject. The state has become a manufacturing magnet, home to BMW's largest plant in the world in Spartanburg, Boeing's 787 line in North Charleston, and Volvo, alongside the Port of Charleston and a heavy military presence at Joint Base Charleston, Fort Jackson, and Parris Island. 29 domains run p=none, 25 sit at p=quarantine, and 11 have no record. With 54 domains parked at none or quarantine, the path to a higher enforcement rate is short.

*From Red Sift's previous regional analyses. Sample sizes and methodology consistent across studies.

The 145 organizations sitting at p=quarantine are close. They've done the DNS work, identified their senders, and configured SPF and DKIM. Moving from quarantine to reject typically takes 6 to 8 weeks. That's 145 domains where a short project finishes a job that's mostly complete.

Florida stands out with 32 quarantine domains, the highest single-state count in the study. Alabama follows with 26 and South Carolina with 25. If Florida alone moved its quarantine domains to reject, the state would leap to 72% enforcement and pull the regional average up with it. The infrastructure is in place across the region. The final policy change is what's missing.

The Southeast is where America builds, ships, and moves money. A spoofed email in this region can divert a supplier payment, reroute freight, inject fraud into a payments network, or target a defense installation. The concentration of manufacturing, logistics, and financial infrastructure makes the stakes unusually high.

The Southern Auto Corridor runs straight through this region. Mercedes-Benz, Honda, Hyundai, and Toyota in Alabama, Nissan, Volkswagen, and GM in Tennessee, and BMW and Volvo in South Carolina anchor a dense web of suppliers operating on just-in-time schedules. A single plant draws on hundreds of vendors, and purchase orders, shipping schedules, and payment instructions all move by email. A spoofed domain impersonating a manufacturer or a tier-one supplier can redirect a large payment or disrupt a production line before anyone notices. With the majority of the region's domains still short of enforcement, that supply chain is exposed at exactly the points where it is most automated.

The Southeast is the logistics backbone of the country. FedEx runs its global super hub from Memphis, UPS is headquartered in Atlanta, and the ports of Savannah, Charleston, Mobile, Jacksonville, and Miami handle a vast share of U.S. trade. Freight booking, customs documentation, and carrier invoicing are email-driven processes involving large sums and tight timelines. The FBI's IC3 logged $3.04 billion in business email compromise (BEC) losses in 2025, with 86% of those funds moving via wire transfer or ACH. A spoofed shipping or invoice email aimed at a freight forwarder or port operator can redirect payment in minutes.

Georgia's Transaction Alley processes a large portion of the nation's card payments through firms like Global Payments and Fiserv. Payments infrastructure is among the most attractive targets for impersonation, because a convincing spoofed email can sit directly in the path of money movement. Georgia's 45% enforcement rate leads the region, but a payments hub of this importance should be aiming far higher, and the 55% of top organizations not yet at reject represent real exposure in a sector where trust is the product.

The Southeast carries serious national security weight. Alabama's Huntsville hosts NASA's Marshall Space Flight Center and Redstone Arsenal, Florida holds Kennedy Space Center and U.S. Central and Special Operations Commands at MacDill, Mississippi's Ingalls Shipbuilding builds Navy warships, and South Carolina hosts Boeing's 787 line and multiple military bases. Defense contractors, research partners, and federal agencies across these states send email tied to procurement, logistics, and sensitive programs. A spoofed domain targeting this supply chain is not just a phishing attempt, it is a national security risk, which makes the region's mid-pack enforcement rate harder to accept.

Google and Yahoo began requiring DMARC for bulk senders in February 2024. Microsoft followed in May 2025 with its own enforcement for high-volume senders to Outlook, Hotmail, and Live.com addresses. Non-compliant messages are now rejected outright. For Southeast organizations sending manufacturing invoices, freight confirmations, payment instructions, or customer correspondence, a missing or weak DMARC policy means those messages may never arrive. The 62 domains with no DMARC record at all are the most exposed, but the 302 at none or quarantine are also at risk as enforcement tightens across every major mailbox provider.

PCI DSS 4.0.1 mandates DMARC for organizations handling payment card data, which hits the region's large retail, banking, and payments sectors directly. NIS2 applies to any Southeast firm with EU operations or clients. Cyber insurers are tightening requirements, with some excluding BEC payouts for organizations that lack basic email authentication. For defense contractors across Alabama, Florida, Mississippi, and South Carolina, CMMC and NIST frameworks already recommend DMARC as a baseline control. The region's mid-pack enforcement rate is not a sign that these pressures don't apply. It's a sign that many organizations haven't acted on them yet.

With the Southeast complete, Red Sift has now measured DMARC enforcement across seven U.S. regions. The pattern is remarkably consistent. Regional enforcement ranges from a low of 31% in the Northwest to a high of 44% in the Mid-Atlantic, and not one region has crossed a majority. The Southeast's 39% sits in the middle of that band. The only place a clear majority appears is at the city level, where New York's top organizations reach 73%, a reminder that dense, highly regulated commercial centers move faster than the country as a whole.

Three findings hold across every region studied:

• Most organizations have started. Published DMARC records are the norm almost everywhere. The no-record rate only climbed meaningfully above 12% in the sparse interior states of the Northwest. Awareness is not the problem.
• The gap is the last mile. In every region, a large block of organizations sits at p=none or p=quarantine, monitoring spoofing without blocking it. They have done most of the work and stopped just short of protection.
• Enforcement tracks commercial density. Regions and cities with heavy finance, payments, and regulated industry lead. Resource-heavy and rural areas lag.

The conclusion after seven studies is blunt. Across the United States, most top organizations still are not blocking spoofed email, regardless of region. The work that remains is rarely about starting from scratch. It is about finishing.

The Southeast makes the same point the whole series has been building toward: starting DMARC is easy, finishing it is where organizations stall. Red Sift OnDMARC exists to get domains across that final line and keep them there, which carries real weight in a region whose factories, freight networks, payment rails, and defense programs all run through the inbox.

• Get to reject faster: The slow part of a DMARC rollout is rarely flipping the final policy, it's identifying every legitimate sender first. OnDMARC automates that discovery and setup, turning a project that routinely runs past seven months into a few weeks of work. For the 145 Southeast domains stuck at quarantine, that is the difference between finishing this quarter and finishing next year.
• Tame sprawling sender lists: A single manufacturer or logistics operator may authorize dozens of services, from plant ERP systems to freight platforms to payment processors, and ordinary SPF breaks the moment it passes ten DNS lookups. Dynamic SPF keeps those records valid automatically, so authentication doesn't quietly fail every time a new tool joins the stack.
• Turn reports into decisions: DMARC data lands as dense XML that few teams have the hours to read. OnDMARC renders it as a live picture of every service sending as your domain, closing the gap between having reports and knowing what to fix.
• Keep protection in place: In sectors facing constant audits and frequent acquisitions, enforcement is not a one-and-done task. OnDMARC watches continuously and surfaces changes as they happen, so a domain that reaches reject holds there through new vendors, restructures, and the mergers common across the region's automotive and logistics base.

At 39% enforcement, the Southeast mirrors the country it sits at the heart of: most organizations have begun the work and stopped short of finishing it. Georgia and Tennessee show the path at 45%, and Florida's 32 quarantine domains show how quickly a state can climb. For the 364 organizations across the region that haven't reached full enforcement, Red Sift OnDMARC can close the gap between where their email security is today and where the threat environment demands it be.