Listen to this Post
Email Security Crisis: Most Domains Still Not Blocking Spoofed Emails
Despite years of rising cyber threats and clear technical standards, the vast majority of email domains globally are still failing to block spoofed messages, according to new data from EasyDMARC. This exposes users and organizations to increasingly convincing phishing attacksâmany of which can lead to severe financial and reputational damage.
Global Email Security Still Lacking
EasyDMARCâs 2025 DMARC Adoption Report revealed that only 7.7% of the worldâs top 1.8 million email domains have enforced the strictest DMARC policyâ’p=reject’âwhich actively prevents malicious emails from being delivered. This low adoption rate leaves more than 90% of high-traffic email domains open to impersonation and fraud.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication standard that builds upon SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Its purpose is to verify that the sender’s domain has not been spoofed. While adoption of DMARC has increased since 2023, much of it stops at ‘p=none’, a passive setting that only monitors suspicious emails without taking action against them.
The report showed a strong correlation between strict DMARC enforcement and a decrease in phishing email success rates. In countries like the US, UK, and Czech Republicâwhere DMARC policies are mandatoryâphishing success dropped significantly. The US saw phishing emails drop from 68.8% in 2023 to just 14.2% in 2025. Conversely, countries with no mandatory policy, such as Qatar and the Netherlands, saw little to no progress.
Despite rising adoption, significant gaps remain. More than half of domains analyzed (52.2%) had no DMARC record at all. And of those that did, over 40% lacked the reporting mechanisms (like RUA tags) that allow organizations to monitor authentication failures and investigate malicious use of their domains.
Recent real-world attacks show the consequences of these lapses. North Korea-linked hackers exploited weak DMARC settings in 2024 to impersonate experts and journalists in phishing campaigns. In another case, researchers at Guardio Labs uncovered spoofed emails appearing to come from brands like Disney, Nike, and Coca-Colaâenabled by a flaw in Proofpoint’s system.
EasyDMARC CEO Gerasim Hovhannisyan likened current DMARC misconfigurations to installing a security system but never turning it on. âPhishing remains one of the oldest and most effective cyber-attacks. Without full DMARC enforcement, you’re leaving the door wide open,â he warned.
The findings were unveiled as EasyDMARC prepares to showcase at the Infosecurity Europe 2025 conference, celebrating its 30th anniversary at ExCel London from June 3â5.
What Undercode Say:
The EasyDMARC report shines a spotlight on one of cybersecurity’s most persistent failuresâemail authentication. DMARC has been around for years, yet implementation remains dangerously incomplete. The root problem isnât just technical complexity. Itâs a mix of apathy, lack of awareness, and poor regulatory enforcement.
The fact that only 7.7% of top domains use the ‘p=reject’ policy is startling. This isnât a minor oversight. Itâs a widespread security negligence that allows cybercriminals to pose as trusted institutions with ease. When a spoofed email appears to come from a bank, government agency, or major brand, users are far more likely to engage, increasing the odds of successful phishing.
Adopting DMARC with a passive policy like ‘p=none’ creates a false sense of security. It collects data but offers no real protection. Thatâs why the security impact in countries with mandates like the US is so dramaticâmoving from passive to active enforcement makes the difference between warning signs and real barriers.
The lack of reporting tags in over 40% of DMARC-enabled domains further limits visibility. Without knowing whoâs trying to spoof your domain, thereâs no accountability or follow-up. DMARC reporting is just as critical as enforcementâitâs the eyes and ears of your email security.
The cited attacks show just how bad it can get. North Koreaâs Kimsuky group didn’t invent a new malware strain. They just used basic spoofing tactics made possible by weak DMARC policies. Likewise, the spoofing of major brands through Proofpoint flaws underlines how even advanced protection tools can be bypassed when email policies arenât airtight.
Itâs no longer acceptable for organizations to stop at “monitoring” when it comes to phishing prevention. With data breaches costing millions and reputational damage taking years to recover from, businesses must see full DMARC enforcement as a non-negotiable baselineânot a future goal.
With regulatory bodies tightening standards (like PCI DSS 4.0.1) and email giants like Google and Microsoft mandating stricter policies, the pressure to act is mounting. Still, pressure must turn into priority. Until then, spoofed emails will continue slipping through the cracks, and users will keep paying the price.
Fact Checker Results â
DMARC ‘p=reject’ is confirmed as the only policy that fully blocks spoofed emails đ«
Countries with mandatory DMARC enforcement do see dramatic drops in phishing email delivery đ
Over 50% of analyzed domains still donât have any DMARC policy set at all đ
Prediction đź
As compliance pressures increase and phishing attacks grow more damaging, global adoption of strict DMARC policies will accelerate in the next 12 to 18 months. Expect governments and regulators to make DMARC enforcement mandatory, especially for critical sectors like finance, healthcare, and public services. Organizations that fail to comply will face not only cyber risks but also legal and financial penalties.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
