Date of analysis: 01/05/2025

Nigeria DMARC & MTA-STS Adoption Report 2025

Like many parts of the world, Nigeria faces a significant and growing challenge from cybercrime. African organizations face an average of 3,286 cyberattacks per week. This is about 73% higher than the global average. In fact, eight African countries, including Nigeria, rank among the top 20 regions that are most at risk for cyber threats.

This report will examine the cybersecurity landscape in Nigeria. The main objective will be to analyze the adoption levels of email authentication protocols like DMARC, SPF, MTA-STS, and DNSSEC. It will also offer suggestions on how to improve the cybersecurity landscape in the country, starting with strengthening organizational email communications and domain names.

Download PDF Book a Demo

Assessing the Threat Landscape

PowerDMARC’s Nigeria DMARC and MTA-STS Adoption Report 2025 will cover the following main questions:

  • What is Nigeria’s success rate in implementing SPF and DMARC?

  • What are the MTA-STS adoption levels in Nigeria? 

  • Are some Nigerian industries or sectors more susceptible to cyber threats than others?

  • What are the most common mistakes organizations in Nigeria are making concerning email authentication?

  • What steps should Nigerian domain owners take to bridge the gaps in domain security?

Sectors Analyzed 

Total domains analyzed: 340

  • Healthcare

  • Media

  • Government

  • Telecommunication

  • Transport

  • Miscellaneous – Businesses 

What Do the Numbers Say?

Nigeria SPF Adoption Analysis

Nigeria DMARC Adoption Analysis

Nigeria MTA-STS Adoption Analysis

Nigeria DNSSEC Adoption Analysis

Key Findings

  • 70.3% of Nigerian domains have correct SPF records.
  • Only 14.2% of domains have implemented a DMARC “Reject” policy. 
  • 54.1% of domains have no DMARC record at all.
  • No Nigerian domains have implemented MTA-STS.
  • Only 8.2% of Nigerian domains have DNSSEC enabled.

Sector-wise Analysis of Domains in Nigeria

Healthcare

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • 70.2% of domains have implemented SPF records correctly.
  • 56.0% of domains do not have a DMARC record. 
  • 0% MTA-STS adoption observed in this sector.
  • 95.2% of domains have DNSSEC disabled.

Media

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • 52.6% of domains have a correct SPF record.
  • 63.3% of domains have no DMARC record
  • 0% MTA-STS adoption observed in this sector.
  • 97.4% of domains have DNSSEC disabled.

Government

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • 86.3% of domains correctly implement SPF records.
  • 62.7% of government domains do not have a DMARC record. 
  • MTA-STS adoption is nonexistent.
  • DNSSEC adoption is very low (only 7.8% of domains have it enabled).

Telecommunication

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • 77.1% of domains have correctly implemented SPF records.
  • 48.6% of telecommunications domains do not have a DMARC record. 
  • 0% MTA-STS adoption observed in this sector.
  • 94.3% of domains in this sector have DNSSEC disabled.

Transport

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • 73.3% of domains have correct SPF records.
  • 60% of transport sector domains do not have a DMARC record. 
  • MTA-STS adoption is nonexistent.
  • 96.7% of domains in this sector have DNSSEC disabled.

Miscellaneous – Businesses 

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • 72.0% of domains have correctly implemented SPF records.
  • 40.0% of miscellaneous business domains do not have a DMARC record. 20% use a “None” policy (monitoring only).
  • 0% MTA-STS Adoption observed in this sector.
  • 92% of domains in the Business sector have DNSSEC disabled.

Banking

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • 72.4% of banking domains have correctly implemented SPF records. 
  • 6.9% of banking domains do not have a DMARC record. 
  • 17.2% use a DMARC “None” policy (monitoring only).
  • MTA-STS adoption is nonexistent.
  • DNSSEC adoption is 27.6%.

Education

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • SPF adoption is moderate; 58.3% of domains have a correct SPF record.
    70.7% of education sector domains do not have a DMARC record. 
  • 16.7% use a DMARC “None” policy.
  • MTA-STS adoption is nonexistent.
  • Only 12.5% of domains have DNSSEC enabled.

Comparative Analysis Among Different Sectors

Comparative Analysis of SPF Adoption among Different Sectors in Nigeria

BIMI Logo

Key Findings

The Nigerian Media sector has the lowest rate of correct SPF implementation at 52.60%. The Government sector leads with the highest SPF adoption at 86.30%, followed by the Telecommunications sector at 77.10% and the Banking sector at 72.40%.

Comparative Analysis of DMARC Adoption among Different Sectors in Nigeria

BIMI Logo

Key Findings

The Banking sector shows the highest DMARC adoption; only 6.90% of domains don’t have a DMARC record. In contrast, the Education sector has the lowest DMARC adoption; 70.70% of domains do not implement DMARC. 

The Banking sector leads in implementing the strictest DMARC “Reject” policy at 41.40%, followed by the Miscellaneous Business sector at 36%. The Healthcare and Media sectors have the lowest rates of “Reject” policy adoption, at 4.80% and 2.60% respectively.

Comparative Analysis of MTA-STS Adoption among Different Sectors in Nigeria

BIMI Logo

Key Findings

MTA-STS adoption is nonexistent across all sectors in Nigeria. Every sector (including Healthcare, Media, Government, Telecommunications, Transport, Miscellaneous Businesses, Banking, and Education) reports 0% adoption of MTA-STS.

Comparative Analysis of DNSSEC Adoption among Different Sectors in Nigeria

Key Findings

DNSSEC adoption is extremely limited in Nigeria. The Media sector has the lowest DNSSEC adoption rate at 2.63%, while the Banking sector has the highest at 27.59%. 

DMARC & MTA-STS Adoption Rates: Key Statistics for Nigeria 

  • 70.3% of Nigerian domains have correct SPF records.

  • 54.1% of Nigerian domains lack DMARC implementation. Only 14.2% use a “reject” policy that offers protection against email- based cyber attacks. 

  • None of the analyzed Nigerian domains have MTA-STS implemented.

  • Only 8.2% of Nigerian domains have DNSSEC enabled.

Critical Errors Organizations in Nigeria Are Making

  • Absence of DMARC Records

    Examples: “A DMARC record does not exist for this domain or its base domain.”

    Most domains across all sectors do not have a DMARC record. This makes it quite easy for hackers to exploit them. It increases the likelihood of successful spoofing and phishing. Organizations should implement a DMARC record at _dmarc.yourdomain.com with a “p=quarantine” or “p=reject” policy. They can start with a “p=none” and then gradually move to the stricter policies.

    This can also help enhance compliance, since more and more global mailbox providers and other institutions now require proper DMARC implementation (e.g., Google, Yahoo, Microsoft).

  • Missing or Invalid SPF Records

    Examples:

    • “does not have a SPF TXT record”
    • “ip4: ~all is not a valid ipv4 value”
    • “ip-1 is not a valid ipv4 value”

    Many domains have no SPF record or contain syntax errors. Organizations should publish a valid SPF record that covers all legitimate sending sources. They should also ensure the syntax is correct. Only valid IP addresses and mechanisms should be used.

  • Multiple or Misconfigured SPF Records

    Examples:

    • “has multiple SPF TXT records”
    • “Parsing the SPF record requires 11/10 maximum DNS lookups.”
    • “Parsing the SPF record requires 12/10 maximum DNS lookups.”

    Some domains have multiple SPF records or exceed the 10 DNS lookup limit. Organizations should ensure only one SPF record per domain as per RFC specifications. Mail servers may reject or ignore all SPF records if more than one is found, causing potential email deliverability issues.

    The record should comply with the 10 DNS lookup limit (RFC 7208). For this, organizations should remove unnecessary includes and optimize SPF wherever they can.

  • Weak, Incorrect, or Multiple DMARC Policy Records

    Examples:

    • “v=DMARC1;p=none;sp=none;adkim=r;aspf=r;pct=100;fo=0;…”
    • “Multiple DMARC policy records are not permitted.”

    When DMARC exists, many use “p=none” (monitor-only, no protection). Using the “none” policy for long periods of time without enforcement leaves domains open and vulnerable to impersonation.  

    Multiple DMARC records are not recommended. If multiple records exist, mail servers may ignore them or treat them as invalid, leading to DMARC failures and potentially reduced email deliverability.

  • Unrelated or Extraneous TXT Records

    Examples: “Unrelated TXT records were discovered. These should be removed, as some receivers may not expect to find unrelated TXT records at …”

    Some domains have unrelated TXT records at key subdomains. Unrelated TXT records at critical subdomains can harm email authentication. Therefore, organizations should move unrelated TXT records from _dmarc and _mta-sts subdomains. They should only publish the required and relevant protocol.

  • No MTA-STS Implementation

    Example: “An MTA-STS DNS record does not exist for this domain.”

    Nearly all domains lack MTA-STS. Entities in all domains should implement MTA-STS to enforce encrypted email delivery and prevent downgrade attacks.

  • DNSSEC Not Enabled

    Example: “A DNSSEC DNS record does not exist for this domain.”

    DNSSEC is mostly disabled for almost all Nigerian domains, which increases the chances of DNS spoofing. Organizations should enable DNSSEC on their domain to protect against DNS tampering.

How PowerDMARC Helps You Stay Secure and Error-Free

PowerDMARC is a leading full-stack email authentication SaaS platform trusted by global MSPs, MSSPs, enterprises, and governments to protect domains from spoofing, phishing, and impersonation attacks.

Here’s how we help you get it right the first time:

  • DMARC Made Simple:

    Quickly generate and deploy DMARC records with our free DMARC Generator. Use our DMARC Analyzer for step-by-step implementation and real-time policy monitoring.

  • Visualize Your Reports:

    No more digging through XML! We turn raw DMARC data into human-readable dashboards so you can easily track email authentication and safely move from “none” to “quarantine” or “reject”.

  • SPF Without Headaches:

    Create error-free SPF records with our free SPF Generator and validate them using our SPF Checker. Avoid SPF PermErrors with Hosted SPF, our automatic SPF optimization tool with Macros.

  • Fix Hidden Issues with Domain Health Analyzer:

    Scan your DNS for misconfigurations and get clear, actionable fixes in seconds.

  • Hosted MTA-STS & TLS-RPT:

    Deploy and manage MTA-STS and TLS-RPT effortlessly with our hosted services—no complex setups needed.

  • Check DNSSEC in One Click:

    Use our DNSSEC Checker to confirm your domain is fully protected at the DNS level.

Need Help or a Quick Demo?

Email us at [email protected] to book a 1:1 session with our experts today!

secure email powerdmarcReady to prevent brand abuse, scams and gain full insight on your email channel?

Start 15-day trial Book a demo