69% of Northwest U.S. businesses exposed to email spoofing

Red Sift analyzed 600 domains belonging to the largest organizations across six Northwest states, and found that only 188 (31%) have reached full DMARC enforcement. That's the lowest regional enforcement rate Red Sift has recorded anywhere in the United States. The Northwest powers a large share of the country's energy supply, hosts two of its three land-based nuclear missile wings, and is home to some of the biggest technology and aerospace companies in the world. Despite that, 69% of the region's top organizations aren't blocking spoofed email. Similar research on other regions by Red Sift includes the Northeast (35%), Mid-Atlantic (44%), Southwest (40%), Heartland (36%), and North Central (41%) states.

• Only 188 of 600 domains (31%) across six Northwest states have reached DMARC enforcement (p=reject), the lowest of any U.S. region Red Sift has studied
• 182 domains (30.3%) run p=none policies that monitor but take no action against spoofed emails
• 136 domains (22.7%) sit at p=quarantine, close to full protection but not finishing the move to reject
• 94 domains (15.7%) have no DMARC record published at all, the highest no-record rate of any region in the series
• Washington leads at 44% enforcement. Montana trails at 25%, the lowest single-state rate Red Sift has recorded

Red Sift analyzed 100 domains from the top organizations in each of six Northwest states: Alaska, Idaho, Montana, Oregon, Washington, and Wyoming. The results show a region split almost down the middle, where coastal technology hubs have published DMARC records but stalled before enforcement, and the interior states have a large share of top organizations with no email authentication at all.

Across all 600 domains, 31% have reached p=reject, the DMARC policy level that actively blocks spoofed emails. That puts the Northwest behind every other region in Red Sift's ongoing comparison: the Northeast (35%), Heartland (36%), Southwest (40%), North Central (41%), and Mid-Atlantic (44%).

The region's defining feature is the gap between its two halves. Washington and Oregon, home to the Northwest's technology and aerospace economy, have almost no domains without a record at all (5% and 4%). The four interior states tell a different story. Wyoming has 30% of its top organizations with no DMARC record, Montana 23%, and Idaho 19%. The Northwest's 15.7% no-record rate is the highest of any region in the series, and nearly all of that gap comes from the interior.

• Washington (44% at enforcement): Washington leads the Northwest with 44 domains at p=reject, tying the Mid-Atlantic as the strongest regional-leader rate Red Sift has recorded outside New York. The state is home to Microsoft, Amazon, Boeing, Costco, and Starbucks, alongside major Pacific shipping ports and a heavy military presence at Joint Base Lewis-McChord and Naval Base Kitsap. 28 domains run p=none, 23 sit at p=quarantine, and only 5 have no record. The state's technology and aerospace concentration shows in that low no-record count, but 56% of its top organizations still haven't reached full protection.
• Oregon (36% at enforcement): Oregon has 36 domains at p=reject and the lowest no-record rate in the study at 4. The state hosts Intel's largest manufacturing campus, Nike, and a semiconductor cluster known as the Silicon Forest, alongside timber, agriculture, and a growing wine industry. 34 domains run p=none, the highest none count in the study, 26 sit at p=quarantine, and 4 have no record. Almost every top Oregon organization has published a DMARC record. The problem is that 60 of them stalled at none or quarantine without finishing the move to reject.
• Idaho (29% at enforcement): Idaho has 29 domains at p=reject. The state is home to Micron Technology's headquarters, a fast-growing technology and agriculture economy, and Idaho National Laboratory, the Department of Energy's lead nuclear energy research lab. 33 domains run p=none, 19 sit at p=quarantine, and 19 have no record. For a state hosting a national nuclear research facility, 19% of its top organizations carrying no DMARC record at all is a gap worth closing.
• Alaska (28% at enforcement): Alaska has 28 domains at p=reject and the highest quarantine count in the study at 31. The state's economy runs on North Slope oil and gas, commercial fishing, and tourism, with a strategic military footprint at Joint Base Elmendorf-Richardson and the Ground-based Midcourse Defense system at Fort Greely. 28 domains run p=none, 31 sit at p=quarantine, and 13 have no record. Those 31 quarantine domains have already done the hard work. If Alaska moved them to reject, its enforcement rate would jump from 28% to 59%.
• Wyoming (26% at enforcement): Wyoming has 26 domains at p=reject and the highest no-record rate Red Sift has ever recorded at 30%. The least populous state is the country's largest coal producer, a major oil, gas, and uranium producer, and home to F.E. Warren Air Force Base, which operates one of the country's three Minuteman III nuclear missile wings. 27 domains run p=none, 17 sit at p=quarantine, and 30 have no record. A state that hosts a nuclear ICBM wing and feeds a large share of the national grid should not have 30% of its top organizations missing a DMARC record entirely.
• Montana (25% at enforcement): Montana sits at the bottom with 25 domains at p=reject, the lowest single-state enforcement rate Red Sift has recorded across the entire series. The state's economy spans agriculture, energy, and tourism, and it hosts Malmstrom Air Force Base, home to another of the country's three Minuteman III nuclear missile wings. 32 domains run p=none, 20 sit at p=quarantine, and 23 have no record. Montana and Wyoming together host two of the three U.S. land-based nuclear deterrent wings, and they hold the two lowest enforcement rates in the region.

The averages hide the real story. Split the six states by geography and the pattern is hard to miss.

Washington and Oregon, the Pacific coastal states that hold the region's technology and aerospace economy, have published DMARC records almost universally. Between them, just 9 of 200 domains have no record at all. Their problem is the last mile: 28% and 34% respectively are parked at p=none, watching spoofed email arrive in their reports without blocking any of it.

The four interior states are a different problem entirely. Idaho, Wyoming, Montana, and Alaska account for 85 of the region's 94 no-record domains. Wyoming and Montana alone carry 53 of them. These are states with nuclear weapons infrastructure, national energy production, and a major federal research lab, and a quarter to a third of their top organizations have taken no email authentication step at all.

Two regions, two different fixes. The coastal states need to finish a project they've already started. The interior states need to start one.

The 136 organizations sitting at p=quarantine are close. They've done the DNS work, identified their senders, and configured SPF and DKIM. Moving from quarantine to reject typically takes 6 to 8 weeks. That's 136 domains where a short project finishes a job that's mostly complete.

Alaska stands out with 31 quarantine domains, the highest single-state count in the study, followed by Oregon with 26. If those organizations moved to reject, Alaska would jump to 59% enforcement and Oregon to 62%. The infrastructure is in place. The final policy change is what's missing.

The Northwest runs on industries where a spoofed email can trigger wire fraud, intercept an energy transaction, disrupt an aerospace supply chain, or target a defense installation. The region's spread across six states and several critical sectors makes the risk broad and the stakes high.

Alaska's North Slope oil fields, Wyoming's coal and natural gas, Montana's energy production, and Idaho's nuclear research lab make the Northwest a national energy hub. Energy trading, royalty payments, pipeline contracts, and vendor invoices all move by email, often in six- and seven-figure amounts. The FBI's IC3 logged $3.04 billion in business email compromise (BEC) losses in 2025, with 86% of those funds moving via wire transfer or ACH. A spoofed email targeting a royalty payment or a pipeline vendor contract can redirect large sums before anyone catches it. The interior states that produce most of this energy are also the ones with the weakest DMARC posture, which puts the exposure exactly where the money moves.

Washington and Oregon host some of the largest technology and aerospace companies in the world, alongside the suppliers, contractors, and research partners that orbit them. Boeing's aerospace supply chain, the semiconductor manufacturing networks around Intel and Micron, and the cloud and software giants headquartered in Seattle all depend on email for purchase orders, design specifications, and payment instructions. These are exactly the brands attackers most want to impersonate. The 62 Washington and Oregon domains sitting at p=none have the DMARC reports showing them spoofing attempts in real time. They just aren't acting on the data.

Idaho's potato and dairy industry, Montana's wheat and cattle production, Washington's apple and wine sectors, and Oregon's agricultural exports connect a network of growers, processors, distributors, and vendors that runs on email. Commodity contracts, shipping confirmations, and payment instructions move through inboxes every day. A spoofed domain targeting a grain elevator, a dairy cooperative, or a food distributor can redirect payments or inject fraudulent instructions into the supply chain. The 182 Northwest domains at p=none are watching this happen in their reports without blocking any of it.

This is where the Northwest's numbers are hardest to defend. Wyoming's F.E. Warren Air Force Base and Montana's Malmstrom Air Force Base operate two of the country's three Minuteman III nuclear missile wings. Alaska hosts Joint Base Elmendorf-Richardson and the Ground-based Midcourse Defense system at Fort Greely, a core piece of U.S. homeland missile defense. Idaho National Laboratory leads federal nuclear energy research. Defense contractors, research partners, and federal agencies operating in these states send email tied to procurement, logistics, and sensitive programs. Montana's 25% and Wyoming's 26% enforcement rates, combined with no-record rates of 23% and 30%, are among the lowest Red Sift has recorded, and they belong to states where a spoofed domain targeting the defense supply chain is not just a phishing attempt. It's a national security risk.

Google and Yahoo began requiring DMARC for bulk senders in February 2024. Microsoft followed in May 2025 with its own enforcement for high-volume senders to Outlook, Hotmail, and Live.com addresses. Non-compliant messages are now rejected outright. For Northwest organizations sending energy invoices, aerospace purchase orders, agricultural confirmations, or financial correspondence, a missing or weak DMARC policy means those messages may never arrive. The 94 domains with no DMARC record at all are the most exposed, but the 182 at p=none are also at risk as enforcement tightens across all major mailbox providers.

PCI DSS 4.0.1 mandates DMARC for organizations handling payment card data, which hits retail, financial services, and energy companies across the region. NIS2 applies to any Northwest firm with EU operations or clients. Cyber insurers are tightening requirements, with some excluding BEC payouts for organizations that lack basic email authentication. For defense contractors in Wyoming, Montana, and Alaska, CMMC and NIST frameworks already recommend DMARC as a baseline control. The region's low enforcement rate is not a sign that these pressures don't apply. It's a sign that a lot of organizations haven't acted on them yet.

Northwest organizations face a mix of pressures: energy transaction fraud, aerospace and semiconductor supply chain targeting, agricultural complexity, and defense installation security. Red Sift OnDMARC is built for that complexity.

• Enforcement in 6 to 8 weeks: Manual DMARC projects average around 32 weeks. OnDMARC cuts that to 6 to 8 weeks by automating source identification, SPF and DKIM configuration, and enforcement readiness checks. For the 136 Northwest organizations sitting at p=quarantine, the final step to reject could be measured in weeks, not months.
• Dynamic SPF for complex sender lists: Northwest organizations tend to have long lists of authorized email senders: energy trading platforms, aerospace ERP systems, agricultural logistics tools, financial systems, and marketing platforms. SPF records have a hard limit of 10 DNS lookups, and complex organizations blow past that quickly. Red Sift's Dynamic SPF manages this automatically, keeping authentication valid without manual record management.
• Clear reporting across every domain: OnDMARC converts raw DMARC aggregate and forensic reports into a dashboard that shows every service sending email on behalf of your domains. Security and compliance teams get immediate visibility into what's authorized, what's failing authentication, and what needs fixing. No XML parsing. No guesswork.
• Continuous monitoring for regulated industries: Energy, aerospace, defense, financial services, and agricultural organizations all face ongoing audit and compliance requirements. OnDMARC provides continuous monitoring and alerting, so enforcement holds even as new senders are added, domains change hands, or infrastructure evolves through mergers and acquisitions.

31% enforcement makes the Northwest the lowest-scoring region Red Sift has studied, behind the Northeast (35%) and Heartland (36%). Washington's 44% shows the path works. Montana's 25% shows how far some states still need to go. The coastal states need to finish what they started, and the interior states need to begin. For the 412 organizations that haven't reached full enforcement, Red Sift OnDMARC can close the gap between the region's risk exposure and its current email security posture.