DMARC in Germany: where the top 250 companies stand

Executive summary: Of Germany's 250 largest companies, 44.8% enforce DMARC at the strongest policy (p=reject), 23.2% sit at p=quarantine, 23.2% publish a record but only monitor (p=none), and 8.8% have no valid DMARC record at all. That puts 68% at some level of enforcement, but leaves 32% with no real protection against spoofing of their primary domain.

• 112 of 250 companies (44.8%) enforce DMARC at p=reject, the only policy that actually blocks spoofed mail.
• 80 companies (32%) are exposed: 58 monitor only and 22 have no DMARC record at all.
• Several enforcing companies undercut themselves with low enforcement percentages or open subdomain policies, so the headline policy overstates real protection.
• Germany's NIS2 Implementation Act has applied with no transition period since December 2025, and most of these companies are in scope.
• BIMI with a Verified Mark Certificate is almost untouched: roughly 12 of 250 have one, despite 170 already meeting the enforcement prerequisite.

Red Sift analyzed the email authentication setup of Germany's 250 largest companies by revenue. The results show less than half are fully protected. Almost a third have no meaningful defense against domain spoofing at all, and that includes an airport operator, a hospital group, and several pharmaceutical names that now sit squarely inside NIS2 scope.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the protocol that decides what happens to an email that fails authentication checks on your domain. Set it to enforce, and a spoofed message claiming to come from your company gets blocked or quarantined before it reaches the recipient. Leave it off, or set it to monitor only, and anyone can put your domain in the From field and your customers have no technical reason to doubt it.

We pulled the live DNS records for the 250 largest German organizations by revenue and read each domain's DMARC policy, enforcement percentage, subdomain policy, and BIMI status. The breakdown:

• p=reject (full enforcement): 112 companies, 44.8%. Unauthorized mail is blocked outright.
• p=quarantine: 58 companies, 23.2%. Failing mail is sent to spam rather than blocked.
• p=none (monitoring only): 58 companies, 23.2%. A record exists, but it does nothing to stop spoofing.
• No valid DMARC record: 22 companies, 8.8%. No policy published, or a record so malformed it doesn't parse.

Combine reject and quarantine and you get 170 companies, 68%, doing something to stop impersonation. That's a strong figure next to a lot of markets, but is behind the United Kingdom, which holds a combined 74% at quarantine or reject. In fact, eighty of Germany's biggest companies, by revenue, have no working defense against someone sending mail as their domain.

Publishing a DMARC record at p=none tells mailbox providers to watch and report, not to act. Spoofed mail still gets delivered. The value is the reporting data, which is exactly how you build toward enforcement, but a domain parked at p=none for years is a domain that has collected evidence and done nothing with it.

Our research found a €51.8 billion pharmaceutical and life sciences company, in a sector that NIS2 treats as highly critical, still sits at p=none. DMARC records are being ingested, but outbound protection remains missing.

Equally, one of the world's largest reinsurers also sits at monitoring only. So do three household names in the energy sector. The pattern repeats: large, regulated, in-scope companies that started the DMARC process and stopped one step short of the policy that does the work.

The policy field tells you the intent. Two other fields tell you whether the intent survives contact with reality, and several enforcing companies fall down here.

The first is the enforcement percentage. DMARC lets you apply your policy to a fraction of failing mail using a pct value (though RFC9989 will shortly remove the pct tag) which is meant as a temporary dial during rollout. A €16.3 billion semiconductor maker publishes p=quarantine at pct=10. That means 90% of mail failing authentication on its domain is still delivered normally. Similarly, a defense electronics company does the same at pct=10.

The second is the subdomain policy. A domain can enforce p=reject on its primary address and leave subdomains wide open with sp=none. Attackers know this, and a spoofed invoice from billing.yourcompany.com works just as well as one from the main domain. In this dataset, that gap shows up as many companies are enforcing on their main domain while leaving subdomains unprotected, leading to a potential SubdoMailing attack.

The companies with no valid DMARC record are the headline risk, and the list includes names that should give a security team pause.

A known aviation operator for Frankfurt airport has no DMARC policy published. As a transport operator, it sits inside NIS2's most heavily regulated tier. A health sector entity under the same regime also has no DMARC record, as does a major port and logistics group.

Two cases stand out as configuration failures rather than absence. A €16.3 billion automotive and industrial supplier has SPF in place but no DMARC policy that resolves. Europe's largest copper producer at €17.1 billion published a DMARC record with an invalid tag (an uppercase "PCT" that the standard doesn't recognize), so the record fails to parse and provides no protection at all.

For any of these, an attacker can send mail as the company's domain today with nothing standing in the way.

Germany's NIS2 Implementation Act, which amends the BSI Act, has applied since 6 December 2025 with no transition period, and the deadline to register with the BSI passed on 6 March 2026. Around 29,500 organizations fall within scope across energy, transport, health, manufacturing, banking, and digital infrastructure, which describes most of the companies in this dataset.

NIS2 doesn't name DMARC. What it does is require risk management measures, supply chain security, and management accountability, with personal liability for company directors and fines reaching €10 million or 2% of global annual turnover. Email authentication is a baseline control that maps directly to those obligations. When a regulator or an enterprise customer assesses your security posture, a domain that anyone can spoof is a finding, not a footnote. And because NIS2 pushes obligations down the supply chain, your customers' compliance now depends partly on yours.

The companies in this dataset that already enforce at p=reject have a clean answer to that question. The 80 without real protection do not.

The companies getting this right share a pattern. They reach p=reject, they enforce 100% of mail, they set a subdomain policy that matches the main domain, and the ones thinking about brand add a VMC on top. Allianz, Mercedes-Benz, SAP, Deutsche Bank, and RWE all sit in that group.

Getting there from p=none or from no record is not a multi-year program. The work is reading your reporting data to find every legitimate sender, authenticating those senders, and then tightening the policy in stages until reject is safe to turn on. The companies that stall do so because they're doing it by hand. The ones that move treat the rollout as a managed process with the report data driving each step.

Red Sift OnDMARC automates that process, taking a domain from monitoring to enforcement in weeks by classifying senders automatically and showing exactly what each policy change will affect before you make it.

If you're in Germany's top 250, or you sell to them, the question is simple. Can someone send mail as your domain right now? For 80 of these companies, the answer is yes. The fix is a known quantity.