Introduction
Domain-based Message Authentication, Reporting, and Conformance (DMARC) gives domain owners control over how email receivers handle unauthenticated messages, preventing spoofing and securing outbound communications. But for DMARC to truly make the Internet safer, adoption needs to be global. A fragmented approach leaves gaps that attackers can exploit.
Achieving universal DMARC enforcement would:
- Enhance cybersecurity: Widespread adoption of quarantine or reject policies would drastically reduce phishing and spoofing attacks.
- Build trust: Ensuring legitimate emails aren’t wrongly flagged as spam protects customer relationships and brand reputation.
- Streamline compliance: DMARC helps organizations meet evolving cybersecurity regulations, including Google and Yahoo’s Bulk Sender requirements.
- Foster collaboration: A global email security standard benefits both the public and private sectors, protecting senders and recipients alike.
Positive signs ahead, with 2.3 million domains adopting DMARC following last year’s Google and Yahoo Bulk Sender requirements.
What is the current worldwide adoption of DMARC?
Despite growing awareness, DMARC adoption remains low worldwide. As of February 2025, only 9.7% of domains, from a sample of 73.1 million, have started their DMARC journey by implementing a p=none policy.
Even more concerning, just 5.2% of domains have taken the final step to p=reject, the highest level of protection that fully blocks spoofed emails. This gap highlights the urgent need for stronger enforcement and wider adoption to protect businesses and individuals from email-based threats.
Country vs country: Who is leading the DMARC drive?
Research by Red Sift looked at 72+ million domains from some of the world's largest public companies, Indices and Regulated groups. Below is a breakdown of public companies by country comparing DMARC % implementation (p=none) % versus % DMARC enforced (p=reject).
*Data accurate as of March 2025.
The outlook for top public companies is promising, with 16 out of 27 countries surpassing 50% DMARC enforcement. Globally, 50.8% of public companies have reached full enforcement with p=reject, marking significant progress in securing outbound email communications.
However, some countries still have a long way to go. The largest gaps in enforcement include:
- South Korea: Just 6.1% of public companies have implemented p=reject.
- Japan: Only 20.8% have reached full DMARC enforcement.
- Thailand: Enforcement stands at just 26.3%.
While global adoption is moving in the right direction, these disparities highlight the need for stronger industry-wide and regulatory efforts to close the enforcement gap and ensure email security on a global scale.
Indices and Regulated Groups
*Data accurate as of March 2025.
Market indices are leading the way in DMARC enforcement, with all achieving at least 50% p=reject adoption. The S&P 500 stands out with a 73.6% enforcement rate, showcasing strong cybersecurity practices among the world’s largest publicly traded companies.
However, SEC-regulated firms lag significantly behind, with just 24.4% reaching full enforcement. This gap highlights the need for stronger regulatory pressure and industry-wide adoption to protect against email-based threats in the financial sector.
Why DMARC should be mandatory
Existing regulatory frameworks
Many countries already have cybersecurity and data protection regulations that could serve as a foundation for DMARC enforcement. For example:
- General Data Protection Regulation (GDPR) in the European Union emphasizes data security and could be extended to include email authentication requirements.
- California Consumer Privacy Act (CCPA) in the United States focuses on protecting consumer data, which can include reasonably proactive measures for email security, such as implementing DMARC.
- Digital Operational Resilience Act (DORA) in the EU mandates robust cybersecurity practices for financial institutions, which includes recommended guidance on the implementation of DMARC.
- The National Institute of Standards and Technology (NIST) explicitly recommends DMARC, SPF, and DKIM to prevent phishing and spoofing. Publications like NIST 800-177 and 800-53 emphasize p=reject enforcement to ensure only authenticated emails are delivered.
It’s important to learn the risks and regulations aligned to DMARC implementation. Understand the role of DMARC in email security.
Mandate for international standards
DMARC adoption has been steadily increasing, with governments and cybersecurity organizations worldwide recognizing its role in preventing email fraud.
The Internet Engineering Task Force (IETF) and the Global Cyber Alliance (GCA) have developed DMARC standards, while the European Cybercrime Centre (EC3) actively promotes DMARC, SPF, and DKIM adoption.
Several governments have already taken action:
- UK (2016): Mandated DMARC across all government departments.
- US (2017): The Department of Homeland Security’s Binding Operational Directive 18-01 required federal civilian domains to implement DMARC.
- Netherlands & New Zealand (2018): Introduced national DMARC requirements.
- Australia (2019): Followed with its own DMARC mandate.
- Denmark (2020): Enforced p=reject for all government-owned domains.
- Canada (2020): Issued official guidance on securing email domains.
These steps highlight growing international recognition of DMARC as a cybersecurity necessity, setting a precedent for broader global enforcement.
Red Sift recommends:
Partnering with international cybersecurity organizations is key to increasing DMARC adoption and combating email-based threats like phishing, email fraud, and business email compromise (BEC).
The European Cybercrime Centre (EC3), established by Europol, is a leading force in cybersecurity across the EU. It actively promotes DMARC, SPF, and DKIM adoption, working alongside law enforcement, cybersecurity experts, and industry partners to reduce email spoofing and domain impersonation. EC3 also runs the No More Ransom initiative, launched in 2016 to fight cybercrime globally.
Beyond Europe, international organizations like the United Nations (UN) and International Telecommunication Union (ITU) could push for mandatory DMARC adoption among member states, establishing a global standard for email authentication and security. Civil society organizations also have a role to play, advocating for policies that protect individuals and businesses from cyber threats while ensuring the internet remains a safe and trusted space for communication.
Address regional challenges and opportunities
North America
- United States: The U.S. has made significant progress in DMARC adoption, particularly in the public sector. The Department of Homeland Security (DHS) mandates DMARC for federal agencies, but private sector adoption lags.
- Canada: Canada has also seen progress, with the Canadian Centre for Cyber Security (CCCS) promoting DMARC adoption.
Red Sift recommends:
An expansion of federal mandates to include private sector organizations, particularly in critical infrastructure sectors like finance, telecommunications, energy, and healthcare.
Europe
- European Union: The EU’s focus on cybersecurity, as seen in DORA and the Network and Information Systems (NIS2) Directive, provides a strong foundation for DMARC enforcement requiring covered organizations to adopt a wide range of cyber hygiene practices.
- United Kingdom: The UK’s National Cyber Security Centre (NCSC) has been a leader in promoting DMARC adoption.
Red Sift recommends:
To strengthen email security across Europe, DMARC requirements should be integrated into existing EU directives, ensuring widespread adoption. Providing funding for small and medium-sized enterprises (SMEs) would help remove financial barriers, making implementation more accessible for businesses that may lack the resources to deploy email authentication protocols.
Similarly, the UK government has an opportunity to take the lead in DMARC enforcement by not only educating organizations on its benefits but also collaborating with the private sector to offer subsidized funding for UK-based SMEs. By making DMARC adoption more achievable, both the EU and UK can drive better cybersecurity standards, reduce phishing risks, and protect businesses from email-based threats.
Asia-Pacific
- India: The Indian government has mandated DMARC for its domains, but private sector adoption is still in its infancy.
- Australia: The Australian Cyber Security Centre (ACSC) has issued guidelines for DMARC adoption, but enforcement remains absent.
Red Sift recommends:
Governments can accelerate DMARC enforcement by expanding awareness campaigns in partnership with the public and private sectors.
A strong example of this approach is the UK’s NCSC, which has successfully worked with public and private organizations to drive DMARC adoption. Through its Mail Check initiative, the NCSC helped UK government agencies and businesses implement DMARC at p=reject, significantly reducing domain spoofing.
Africa and Latin America
- Africa: Many African nations lack the infrastructure and resources to implement DMARC effectively, but some sectors, like finance, are improving.
- Latin America: Countries like Brazil and Mexico are making strides in cybersecurity but need more robust frameworks for DMARC adoption.
Red Sift recommends:
Funding and technical support are crucial for developing nations, where limited resources can make it difficult to comply with mandatory email security regulations. Without proper implementation, these regions remain vulnerable to phishing, spoofing, and cyber threats.
To address this, international organizations should step in by providing financial grants, technical assistance, and training programs to help businesses and government entities deploy DMARC effectively. By making these resources accessible, the global community can ensure stronger cybersecurity protections across all regions, preventing developing nations from becoming easy targets for cybercriminals.
Promote collaboration between stakeholders
Public and private partnerships
Governments, businesses, and non-profits should work together to promote DMARC adoption. For example:
- Red Sift offers free tools like Red Sift Investigate, where you can check your DMARC record and other essential protocols.
- Global Cyber Alliance (GCA) offers free tools and resources for DMARC implementation.
- Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG): Provides best practices for email authentication.
- The National Cyber Security Centre (NCSC) recently announced changes to its Mail Check services, including the ending of DMARC aggregate reporting, with this service now being fulfilled by recommended private sector providers, including Red Sift.
Industry initiatives
The healthcare and financial sectors handle highly sensitive data, making them frequent targets for phishing and fraud. In 2024, 48% of healthcare organizations and 73% of financial institutions reported phishing attacks, while 61% of healthcare organizations lack proper protection against data breaches.
DMARC helps prevent fraudulent emails from impersonating hospitals, insurers, banks, and payment providers, reducing the risk of phishing, identity theft, and unauthorized access. Enforcing p=reject ensures only authorized senders can use an organization’s domain, helping to prevent fraud, support compliance, and maintain customer trust.
DMARC is not just nice to have. Effective from March 31, 2025, PCI DSS v4.0 mandates that organizations handling or processing card payments implement DMARC policies set to "quarantine" or "reject" to prevent email spoofing and enhance security. Non-compliance can result in substantial penalties ranging from $5,000 to $100,000 per month, depending on the severity and duration of the violation.
Red Sift recommends:
Beyond security, DMARC improves email deliverability, ensuring legitimate emails reach inboxes while reducing spam and phishing attempts. Adopting DMARC helps healthcare and financial organizations manage risk, protect sensitive data, and maintain secure communication.
To date, there remain many securing gaps in critical sectors that frequently experience cyber attacks. The protection is available, but many are yet to take action.
Educate and empower organizations
Incentives through Government backed campaigns
Organizations who are unaware of DMARC or lack the expertise to implement without incentives or awareness from prominent government departments or cybersecurity centers. To date only a few national authorities have pushed for DMARC adoption. These examples include:
- CISA (Cybersecurity and Infrastructure Security Agency)CISA (Cybersecurity and Infrastructure Security Agency): Mandated DMARC enforcement for U.S. federal agencies through Binding Operational Directive (BOD) 18-01, requiring agencies to implement DMARC at a p=reject policy to prevent spoofing and phishing attacks.
- ENISA (European Union Agency for Cybersecurity)ENISA (European Union Agency for Cybersecurity): Provides guidance and best practices for DMARC adoption across EU Member States, emphasizing its role in securing government and private sector email communication but without direct enforcement mandates like CISA.
- NCCs (National Cybersecurity Centers): The NCSC in the UK strongly advocates for DMARC enforcement and provides technical guidance to improve email security across government entities. Other NCCS generally promote DMARC awareness and implementation at a national level, offering tools, training, and recommendations to help organizations strengthen their email security posture. Their approach varies by country, aligning with local cybersecurity policies.
Did you know DMARC benefits marketers as much as security leaders? Learn more about how to maximize email marketing ROI with the help of DMARC.
Red Sift recommends:
Driving global DMARC adoption takes more than one organization. Collaboration is key, through use of educational materials, events, frameworks, and workshops, to push adoption across both the public and private sectors. Working together, global DMARC enforcement can become a reality.
Educate through academia
Cybersecurity and computer science related courses at university and industry level should include DMARC advocacy as standard, and offer specialized courses that cover email security and how to mitigate against growing and sophisticated attacks. While not necessarily focused on DMARC, available courses include:
United Kingdom and Europe:
- SANS Institute: Offers specialized training events in London, providing hands-on experience in various cybersecurity domains, including email security.
- OPSWAT Academy: A comprehensive program designed to enhance email security awareness and skills, focusing on threats associated with email communication and methods to analyze and secure emails.
- University of Southampton: Provides a "Comprehensive Cybersecurity" course accredited by the UK National Cyber Security Centre, covering a broad spectrum of cybersecurity principles, potentially including email security
Canada and the United States:
- Cisco – Securing Email with Cisco Email Security Appliance (SESA)Cisco – Securing Email with Cisco Email Security Appliance (SESA): A hands-on course teaching deployment and use of Cisco Email Security Appliance to protect email systems against threats like phishing and ransomware.
- SANS Institute (US and Canada)SANS Institute (US and Canada): Offers instructor-led courses focusing on various aspects of cybersecurity, including email security, across multiple locations in the USA and Canada.
- Texas A&M Engineering Certificate Series: Offers a comprehensive Cybersecurity Certificate Series designed to enhance knowledge and skills in cybersecurity.These certificates are targeted towards state, local, tribal, and territorial government employees, private sector employees, and students who use computers and/or mobile devices as part of their daily life. The courses are developed and delivered at no cost, thanks to funding from the U.S. Department of Homeland Security (DHS) Federal Emergency Management Agency (FEMA).
Prepare for future challenges
Protecting against new threats
As cyber threats evolve, so must DMARC. Organizations need to stay up to date on email authentication and cybersecurity advancements to keep their protections strong. Industry working groups and lobbyists must continue pushing governments and private sector leaders to keep DMARC enforcement a priority.
With technological advancements, cybercriminals are finding new ways to exploit email security gaps. Looking beyond DMARC, here are four key areas where stronger enforcement would benefit users in the future:
- AI-powered threat Intelligence with DMARC Enhance DMARC enforcement by integrating AI-driven threat intelligence to detect phishing, BEC, and deepfake email threats in real time. AI insights refine SPF, DKIM, and DMARC policies, proactively blocking attack vectors before they occur.
- Zero-trust email security with DMARC Strengthen Zero-Trust architecture by combining DMARC enforcement (p=reject) with continuous email verification. AI-driven anomaly detection and identity validation prevent credential theft, insider threats, and unauthorized email access.
- Blockchain with DMARC for supply chain protection Secure third-party email communications by integrating DMARC with blockchain authentication to create tamper-proof email records. Validate SPF/DKIM logs to block supply chain phishing, vendor spoofing, and invoice fraud.
- AI chatbots and DMARC for email security awareness Deploy AI-powered chatbots that analyze DMARC logs in real time, allowing employees to verify suspicious emails instantly. Automate phishing alerts via Slack, Teams, and WhatsApp, improving cybersecurity awareness and response.
A call to action for a safer internet
Achieving a global DMARC consensus is not just a technical challenge—it’s a collective responsibility. By leveraging existing regulations, addressing regional challenges, and fostering collaboration, we can create a safer digital environment for everyone.
Four final takeaways:
- Governments: Amend regulations to mandate DMARC adoption.
- Businesses: Implement DMARC to protect your domains and customers.
- International organizations: Promote DMARC as a global standard.
- Individuals: Advocate for stronger email security in your community.
Together, we can move closer to a world where email-based attacks are a thing of the past. Let’s make global DMARC enforcement a reality.