High-traffic email domains remain inadequately protected
If you’re running a high-visibility business, your email system is likely under constant pressure. The uncomfortable truth is this: 92% of the world’s top 1.8 million email domains aren’t using the most effective protection against phishing, DMARC set to “reject.” That’s the setting that actively blocks fake, malicious emails.
Most organizations still use “p=none.” That setting doesn’t block attacks, it just observes them. Others haven’t implemented DMARC at all, and that’s a problem. These domains are exposed, and attackers know it. They don’t need advanced tactics, they’re exploiting the lack of basic defenses to impersonate trusted brands and partners.
If you lead an enterprise or a fast-scaling digital company, this isn’t an IT operations issue, it’s a customer trust and revenue protection issue. Every time a phishing email gets through under your name, your credibility takes a hit. What’s worse, attackers don’t just target your customers. They go after your vendors. Your employees. It’s lateral damage, in every direction.
This issue needs executive attention, not just infosec buy-in. Updating your DMARC policy isn’t complex. It’s a strategic decision with downstream benefits in brand protection, data security, and long-term trust.
Incomplete DMARC configurations hamper threat visibility
Having a DMARC policy and not enabling reporting is like having office security cameras that aren’t recording. You might feel safer, but you’re not.
Here’s what the data shows: Over 40% of domains that implemented DMARC didn’t include any reporting tags. These tags are essential. They send you authentication reports, basically, they tell you when someone tries to send email on your company’s behalf, whether approved or not. Without these insights, you can’t tackle the problem at scale. You’re running blind, and phishing threats aren’t standing still.
This is a visibility failure and in today’s landscape, visibility is leverage. You want to know when authentication fails. You want to know who’s sending mail that claims to be you. If you’re not getting those reports, you’re not learning, adapting, or defending.
From a C-suite perspective, this is a systems issue that affects compliance, security posture, and incident response time. Real threat mitigation capability starts with knowing what’s happening at the perimeter. DMARC reporting gives you that view.
If your organization is serious about stopping email-based intrusions, and it should be, then partial implementation doesn’t cut it. This isn’t about optics or audits. This is operational infrastructure for digital trust.
Misconceptions about DMARC equate to a false sense of security
Publishing a DMARC record won’t stop attacks. The security benefit comes from enforcement, specifically, setting your policy to “quarantine” or “reject.” That’s where most organizations are getting it wrong. A passive setting like “p=none” gives no real protection. It logs activity, sure, but it doesn’t block threats.
There’s a belief in some executive teams that having any policy in place is enough to tick the box. It’s not. Without enforcement, phishing emails continue to reach inboxes. Employees, customers, partners, all exposed. When this false sense of security takes hold, it’s dangerous. Teams stop asking the right questions, and attackers gain the advantage.
Leadership needs to understand that publishing a weak policy is the equivalent of announcing to threat actors that monitoring is happening, but nothing will be done in response. That sends the wrong message.
This isn’t about perfection, it’s about progress. It’s easy to move from “none” to “quarantine” and then “reject” as you gain visibility. More importantly, it’s a decision that has to come from the top so that technical and leadership teams are aligned on prioritizing real defense.
Regulatory mandates drive significant improvements in email security
Regulatory pressure works. When mandates are enforced, adoption improves, and results follow. This pattern is visible in the U.S., the U.K., and the Czech Republic, regions where government and major tech providers require the use of DMARC with enforcement settings. These aren’t just policy upgrades. They’re measurable steps forward in phishing resilience.
In the United States, the impact is dramatic. Phishing email acceptance rates dropped from 68.8% in 2023 to just 14.2% by 2025. That reduction isn’t theoretical, it reflects real-world blocking of malicious messages targeting people and businesses. It makes the case that security compliance, when executed at scale, drives protection across the ecosystem.
Compare that to countries without requirements like the Netherlands or Qatar, where phishing acceptance rates have barely changed. The contrast is sharp. It tells us that voluntary adoption isn’t enough. Policy without accountability leads to stagnation. Enforcement leads to progress.
C-level leaders working in or across regulated markets should treat mandates as strategic advantages, not hurdles. They provide both urgency and direction. If regulators haven’t acted yet in your region, don’t wait. Move before the pressure arrives. Your organization will be ahead of risk, not just reacting to it.
Growing sophistication of phishing attacks amplifies cybersecurity risks
Phishing hasn’t declined. It’s evolving. Attackers are using smarter tactics, enhanced by AI, to bypass filters and deceive even well-trained users. These aren’t generic phishing attempts, they’re increasingly tailored, leveraging publicly available data, internal language styles, and compromised vendor channels.
Recent attacks targeting large retailers such as M&S and Co-op show the direct financial impact. These weren’t breaches of software or infrastructure. They were exploitations of weak email authentication systems, specifically, domains without enforced DMARC settings. The result? Significant financial loss. For enterprises operating at scale, that translates to hundreds of thousands of dollars lost per incident, if not more.
Phishing today is strategic. Attackers target more than customers, they work through suppliers, vendors, and internal stakeholders. Left unchecked, it disrupts operations, trust, and business continuity. This risk is compounded when domains are not properly protected or visible within the organization’s broader security posture.
At an executive level, it’s critical to understand that email-based threats are operational threats. They impact brand reputation, customer loyalty, and even contractual relationships. As phishing tactics evolve, response strategies must evolve faster. That starts with robust control over who can send on your behalf, and full visibility into how your domain is being used.
While DMARC adoption is increasing, meaningful enforcement and reporting are lacking
Adoption statistics can look encouraging at first glance. Regulatory initiatives and mandates from companies like Google, Yahoo, and Microsoft have caused a measurable uptick in organizations publishing DMARC records. But the reality underneath the data is more complex. Adoption is not the same as implementation. Most organizations are stopping short of full enforcement, and many still skip reporting altogether.
This is where leadership needs to dig deeper. Publishing a DMARC record without enforcing it or analyzing its reports won’t protect your business. It may check a compliance box, but it won’t stop forged emails. And without reporting tags, your team will have no clarity on who is abusing your domain, what’s getting through, or what to fix next.
True protection requires a combination of enforcement (“p=quarantine” or “p=reject”) and visibility (enabled reporting). These aren’t optional settings, they are the foundation of modern email security. When absent, your organization is still vulnerable to impersonation, internal fraud, and threat propagation through trusted channels.
From the C-suite perspective, this is not a purely technical matter. It directly connects to cost control, regulatory risk, customer retention, and brand integrity. Leaders should push beyond surface-level adoption metrics and demand measurable outcomes: blocked threats, actionable reports, and full deployment across business-critical domains.
Key takeaways for leaders
- Most domains lack real phishing protection: 92% of top global email domains don’t use strict DMARC enforcement, leaving them vulnerable. Leaders should prioritize full implementation of “p=reject” policies to actively block threats.
- Visibility gaps weaken response efforts: Over 40% of domains with DMARC lack reporting, meaning organizations can’t see or respond to misuse. Decision-makers must require reporting configurations to gain visibility and drive tighter control.
- Surface-level adoption creates false security: Publishing a DMARC record without enforcement gives a false sense of protection. Executives should ensure teams move beyond passive settings to real enforcement for meaningful security improvement.
- Regulatory pressure accelerates results: Regions with mandates, like the U.S., U.K., and Czech Republic, have seen phishing email acceptance plummet. If operating in unregulated markets, leaders should act ahead of policy to strengthen posture.
- Phishing tactics are evolving fast: AI-driven phishing campaigns are targeting vendors, partners, and employees using more personalized methods. C-suites must treat email security as a threat to operations and financial resilience, not just IT.
- Adoption without enforcement isn’t enough: While DMARC usage is rising, most implementations stop short of actual protection. Leaders should track and enforce complete DMARC deployment, including active policies and reporting, to close security gaps.
