How to secure your brand with DMARC against email threats: Webinar recap

AI has made phishing attacks cheaper, faster, and nearly impossible to spot with the naked eye. In this webinar, Red Sift’s Antony Seedhouse, Eric Johnson, and Natalie Hays break down why DMARC (Domain-based Message Authentication, Reporting and Conformance) enforcement is the only reliable defense against exact domain spoofing, and how OnDMARC gets organizations from p=none to p=reject in six to eight weeks.

• AI-generated phishing emails now feature near-perfect grammar, real personalization, and professional design, eliminating the old red flags that users relied on
• DMARC records have doubled from 8 million to 15 million in under two years, but most domains still sit at p=none, which offers zero protection against spoofing
• Red Sift OnDMARC takes organizations to full DMARC enforcement in six to eight weeks on average, with proactive monitoring through DNS Guardian and AI-powered insights from Red Sift Radar

The numbers are hard to ignore. Phishing attacks have surged in the past year, driven almost entirely by generative AI tools that make it trivial to launch sophisticated campaigns at scale.

“What used to take days or weeks for somebody to set up can now basically be one-shotted,” said Antony Seedhouse, Product Manager for OnDMARC at Red Sift. “The barrier to entry is just absurdly low now to run a much more efficient, automated, effective phishing attack.”

And it’s not just the volume that’s changed. The quality has gone through the roof too. Attackers now have access to polished, GUI-based phishing-as-a-service platforms that look like legitimate SaaS products. Tools like “SpamGPT” offer the same clean interface you’d expect from a commercial AI product, just built for fraud. The cost of entry has dropped. The technical skill required has dropped. And the output quality has skyrocketed.

The webinar put this shift into sharp focus with a side-by-side comparison. On one side: classic phishing attempts. Think “ATTENTION BENEFICIARY” in all caps from a Yahoo email address, or a fake PayPal alert riddled with spelling errors from “paypie-verify.com.” These are almost endearing in how obvious they are.

On the other side: AI-generated phishing emails that even security professionals would need to pause on. One example mimicked a legitimate Microsoft security alert with near-perfect grammar, the recipient’s real name and email, a plausible subdomain (microsoft-alerts.com), and realistic sign-in details with timestamps and geolocation data. The call-to-action was subtle rather than urgent, and the footer included a proper address and links.

The second example hit closer to home. It impersonated Red Sift’s own platform using a lookalike domain (redsift-notifications.com), referenced real product features like aggregate reports, API access, and SIEM integration, and even used the company’s actual London office address.

“AI generated both of these in seconds, not hours, not days,” said Antony. “Grammar is near-perfect, design is clean, personalization is real. The only reliable defense against this kind of exact domain spoofing is DMARC enforcement.”

The bulk sender requirements rolled out by Google, Yahoo, and Microsoft have driven a real spike in DMARC adoption. The total number of DMARC records has doubled from 8 million to 15 million in roughly 18 months. Mandates clearly move the needle.

But here’s the problem: most of those domains are stuck at p=none.

Around 18% of domains now have a DMARC policy of some kind. A fraction of those actually enforce it with p=quarantine or p=reject. And p=none, while useful for visibility, does nothing to stop an attacker from spoofing your domain and landing in someone’s inbox.

“Even if you set up a DMARC policy, if it’s on none, it’s not actually providing any security,” said Antony. “It’s just saying it’s okay if people impersonate my domain.”

The major mailbox providers have only mandated the bare minimum so far. But the direction of travel is clear. Requirements are getting stricter, and BIMI (Brand Indicators for Message Identification) already requires p=reject. Organizations that wait to be forced into enforcement are leaving their brands and their customers exposed in the meantime.

Gartner backs this up. The analyst firm recommends DMARC as a foundational element of any email security strategy, alongside email encryption and MFA. Yet fewer than 10% of organizations have actually reached enforcement.

Eric Johnson, Lead Senior Customer Success Engineer at Red Sift, hears the same objections on nearly every call:

“We tried and it broke our email.” This is the most common one, and it’s understandable. DMARC enforcement without proper preparation is like turning on a firewall that blocks all traffic and being surprised when nothing works. But with the right approach (phased policy changes, proper testing, and expert guidance) you can get to p=reject without disrupting a single legitimate email flow.

“We have p=none, so we’re compliant.” Not quite. The bulk sender requirements don’t just mandate having a DMARC record. They require properly authenticated mail. If you’re sending bulk volumes that fail authentication, providers like Google and Yahoo will treat your email as if you’re at p=reject anyway and drop it, regardless of what your actual policy says.

“Our security provider already does DMARC.” Many security platforms bolt on DMARC as an afterthought. It’s manual, complex, and hard to manage at scale. A purpose-built DMARC platform is designed from the ground up to solve this specific problem, not tack it on as a secondary feature.

Eric had a memorable analogy for organizations that stop at p=quarantine: “P=quarantine is kind of like hitting the snooze button on any issues out there.”

Here’s why. Quarantine sends suspicious emails to the spam or junk folder instead of blocking them entirely. The message still gets delivered. And people do check their spam folders. Eric pointed to a real scenario: “Giving, you know, Natalie’s mom or my dad the opportunity to check through their spam folder and see an urgent email, click through, take action, and next thing you know they’ve lost $10,000 or more.”

Quarantine also hides legitimate deliverability problems. If your own authenticated emails are failing DMARC and getting flagged as spam, you won’t know about it unless a recipient reaches out to tell you. With p=reject, those failures are loud and immediate, which means you catch and fix them fast.

From a marketing perspective, Natalie Hays, Senior Product Marketing Manager at Red Sift, added another angle: “Nothing is more mortifying as a marketer than a stakeholder seeing an email from your brand in the spam folder and asking you what you’re doing wrong.”

Red Sift OnDMARC is an all-in-one email security configuration management platform that takes organizations from p=none through to p=reject enforcement, and then beyond to protocols like MTA-STS (Mail Transfer Agent Strict Transport Security) and BIMI.

The typical path to enforcement takes six to eight weeks, even for large domains with millions of emails and dozens of sending services. The process starts with DMARC reporting to discover all email flows, authorized senders, and subdomains. From there, Red Sift’s in-house customer success team (no outsourced support) works alongside you to resolve complicated mail flows and tricky authentication issues.

Once you’ve reached enforcement, OnDMARC keeps working. Two features stand out:

DNS Guardian monitors all DNS settings across your domains and identifies misconfigurations that could create vulnerabilities. If an email service provider you authorized years ago goes out of business, an attacker could take over that domain and gain the ability to send email on your behalf. DNS Guardian catches these dangling DNS records before they become attack vectors.

Red Sift Radar is an AI-powered assistant trained specifically on email authentication. It acts as an on-demand cybersecurity expert where you can ask questions in natural language. Need to understand a complex DMARC report? Want to know what a misconfiguration means and how to fix it? Radar handles it. As Eric put it: “If I’m not around for you to ask a question, Radar is there for you.”

And for lookalike domain attacks (like that redsift-notifications.com example), Red Sift Brand Trust provides detection and monitoring so you can spot threats before they’re weaponized.

One key question from the audience: if AI makes phishing emails impossible to recognize, is security awareness training still worth anything?

The panel was unanimous: yes. DMARC eliminates exact domain spoofing, which removes one of the strongest phishing signals. But threats evolve. Lookalike domains, SMS-based attacks, and social engineering tactics all sit outside the scope of email authentication. Training your people to spot the difference between redsift.com and redsift-notifications.com still matters.

“Even though you may have DMARC in place, the attacks are evolving, they’re getting more sophisticated,” said Eric. “Having your end users trained to spot those nuances is something security awareness training can actually enable.”

If you want to see where your domain stands right now, Red Sift offers a free scan of your DMARC, SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail) configuration through Red Sift Investigate.