Most businesses still can't answer one simple question about their email

Co-authored by Red Sift and Bespin Labs (Patronum).

Here's a question every IT leader should be able to answer: if someone spoofed your domain right now and sent a phishing email to your customers, would it get blocked?

Most can't answer that with confidence. And the data backs it up. Red Sift's analysis of over 73 million domains found that just 14.9% have implemented even a basic DMARC policy. Only 2.5% enforce the strictest protection level, p=reject. That means roughly 84% of domains have no visible DMARC record at all.

These aren't obscure technical gaps. They're open doors.

Email authentication isn't new. SPF (Sender Policy Framework) has been around since 2006. DKIM (DomainKeys Identified Mail) arrived the same year. DMARC (Domain-based Message Authentication, Reporting and Conformance) was published in 2012. Together, they form a layered defense that tells receiving mail servers how to verify whether an email genuinely came from who it claims to be.

SPF specifies which IP addresses are authorized to send email on behalf of a domain. DKIM attaches a cryptographic signature to each message so recipients can verify it hasn't been tampered with. DMARC ties them together, telling receivers what to do when a message fails those checks and where to send reports about it.

The concepts aren't complicated. But implementation? That's where things stall.

Most organizations have dozens of services sending email on their behalf: marketing platforms, CRM tools, HR systems, support desks, billing providers. Every one of those needs to be accounted for in your SPF and DKIM configuration. Miss one, and legitimate emails start failing authentication. Get spooked by that, and you leave your DMARC policy at p=none (monitoring only) indefinitely.

This is exactly what's happening at scale. Research shows that over 508,000 domains sit at p=none, meaning they're collecting data about who's using their domain but doing nothing to stop unauthorized senders. They've taken the first step and stopped walking.

The pressure is coming from multiple directions at once, and it's converging fast.

The inbox providers forced the issue first. Google and Yahoo introduced DMARC requirements for bulk senders in early 2024. Microsoft followed in 2025. If you send more than 5,000 emails a day to any of these providers, you need a DMARC record. That's not optional anymore. It's table stakes for deliverability.

Then the regulators caught up. PCI DSS 4.0.1 now mandates DMARC at a policy of p=quarantine or p=reject for any organization handling card payments. Non-compliance can result in penalties ranging from $5,000 to $100,000 per month. For finance, retail, and e-commerce businesses, email authentication has gone from "security nice-to-have" to "regulatory requirement".

And while all of this has been happening, AI has made phishing dramatically cheaper to produce. What used to take a skilled attacker 16 hours to craft manually can now be generated in around 5 minutes. The emails read better, they're more personalized, and they're harder to spot. The volume is climbing. And the attackers are impersonating your domain to do it.

At Bespin Labs, we work with organizations every day on Google Workspace management through Patronum. We see the operational side of email: user provisioning, email signatures, access controls, offboarding workflows.

What we keep seeing is the same gap. Organizations invest heavily in managing their email infrastructure but overlook the authentication layer that protects it. They'll have detailed policies for what happens when an employee leaves, automated signature management across thousands of users, and granular control over file sharing. But ask about their DMARC policy and the conversation isn't so clear.

This gap comes down to how responsibilities are divided. Email authentication often falls between IT operations, security, and marketing. No single team owns it. And because it lives in DNS records rather than a visible dashboard, it's easy to forget it's there, or that it isn't.

Email authentication doesn't need to be a six-month project. But it does need deliberate attention.

The starting point is visibility. Before you change anything, you need to understand your current state.

1. What DMARC, SPF, and DKIM records exist for your domain?
2. Are they configured correctly?
3. Are they aligned?

A free tool like Red Sift Investigate can run a real-time check on your domain in under 30 seconds and tell you exactly where you stand.

Then comes sender mapping, which is the step most people skip, and the one that causes the most problems later. Every service that sends email on your behalf needs to be identified and authenticated. Your marketing automation platform, your ticketing system, your invoicing software, whatever else your teams have connected over the years. DMARC aggregate reports (rua) are useful here. They show you who's sending as your domain, both legitimate and otherwise.

Once you have that picture, you can move from monitoring to enforcement. Publishing a DMARC record at p=none is a start. But it doesn't actually protect anything. The goal is to reach p=quarantine (suspicious emails go to spam) and then p=reject (unauthorized emails get blocked entirely). This takes confidence, which comes from properly mapping your senders and fixing authentication issues first.

The bit people forget is maintenance. Email authentication isn't "set and forget". New services get added, DNS records change, third-party configurations drift. Organizations that treat this as a living part of their security posture, rather than a one-time compliance checkbox, are the ones that stay protected.

You can technically do all of this yourself. The protocols are open standards. The records live in DNS. The reports are XML files and through Patronum, our customers have gained stronger visibility.

But the reality remains that most organizations lack the internal expertise or bandwidth to manage DMARC effectively across a complex email ecosystem. That's not a criticism. It's a recognition that parsing XML aggregate reports, troubleshooting SPF alignment across 40 third-party senders, and safely escalating policy levels without breaking legitimate email delivery is genuinely hard.

A dedicated DMARC provider takes that complexity off your plate. The right partner will give you clear visibility into your email authentication posture, automate the discovery and classification of your senders, and guide you through policy escalation at a pace that doesn't disrupt your business. They'll also monitor for emerging threats like subdomain takeovers and dangling DNS records that attackers exploit to bypass DMARC entirely.

The key thing to look for: a provider that gets you to enforcement, not one that's happy to leave you at p=none collecting reports forever. The point of DMARC is to block unauthorized use of your domain. If your provider isn't actively moving you toward that outcome, they're not doing the job.

Email authentication doesn't require a budget approval or a board-level conversation to begin. It starts with a simple question: is my domain protected?

If you don't know the answer, find out. Red Sift Investigate is a free tool that performs a dynamic, real-time analysis of your DMARC, SPF, DKIM, BIMI, MTA-STS, and TLS configuration. Send a test email and you'll have a clear picture of your domain's email security health in under a minute. No sign-up required.

The protocols are free. The tools to check your domain are free. The only cost is the cost of not doing it.

Securing your domain with DMARC is the first step in protecting your brand's reputation, but true security doesn't stop at the gateway. While Red Sift ensures that your email identity is bulletproof, Patronum provides the operational layer required to maintain a truly secure and compliant Google Workspace environment.

From automated onboarding and offboarding to advanced file-sharing governance and email signature consistency, Patronum closes the gaps that attackers exploit once they are inside your ecosystem.

Check out Patronum to see how it can further help your Google Workspace security, reduce your attack surface, and keep your organization ahead of the evolving threat landscape.

For existing Patronum customers, we're ready to help you transition your security and visibility to maintain full compliance and control. Speak to our team today to see how Red Sift and Patronum are ready to help you.