Belgium DMARC & MTA-STS Adoption Report 2025

Brussels is the hub of EU institutions, global headquarters, and Belgium’s principal cyber-talent pool. This has turned Brussels, and the country as a whole, into a cluster of solution integrators, incident-response firms, and research laboratories. 

Belgium began enforcing the NIS2 directive in October 2024, which made it mandatory for 2,410 entities to implement structured risk-management controls and report incidents within 24 hours. Penalties of up to EUR 10 million have shifted cyber risk to board agendas. Hospitals such as UZA Antwerp now run centralised security operation centers and have reduced phishing email click-rates from 30% to 8% after mandatory staff awareness campaigns. 

Despite these improvements and strong SPF implementation, major gaps in DMARC enforcement, very low MTA-STS uptake, and insufficient DNSSEC deployment create a permissive environment for phishing, domain spoofing, and email interception.

  • This comprehensive PowerDMARC report analyzes 729 domains across nine Belgian sectors to provide a definitive snapshot of the nation’s email security posture.

Report Request - Belgium DMARC Adoption

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Name*

Belgium’s Email Security Posture: 2025 Metrics

An overview of the Belgian digital landscape reveals a tale of two realities. While basic email authentication is well-established, the enforcement and encryption layers required to truly secure email are dangerously underdeveloped.

Belgium-SPF

SPF:
Correctly implemented on 90.1% of domains. A good foundation, but this means nearly 1 in 10 domains are still misconfigured, which may cause deliverability issues.

DMARC:
A DMARC record is present on 79.1% of domains, so there is high awareness about the importance of DMARC.

DMARC Enforcement:
Only 24.7% of domains enforce a p=reject policy. This is the most important metric and indicates that three-quarters of organizations that have a DMARC record are still not actively blocking fraudulent emails.

No DMARC Record:
20.6% of domains have no DMARC record at all, which leaves them open to direct impersonation.

MTA-STS:
Adoption is extremely low at just 2.1%; the great majority of email traffic is exposed to potential interception and downgrade attacks.

 

BIMI Logo

DNSSEC:
Enabled on only 21.4% of domains. This shows a widespread vulnerability to DNS cache poisoning and redirection attacks.

The Bottom Line:

In Belgium, 1 in 5 organizations have no DMARC policy. This means there is nearly zero defense against brand impersonation. Furthermore, of those with a policy, ~75% are not using it to block fraud. This signals severe risks of financial loss, data breaches, and a fundamental erosion of public and customer trust.

Sector-by-Sector Analysis

Financial Sector: Leading the Charge but Gaps Remain

Belgium’s financial institutions are the clear frontrunners in email security adoption, yet vulnerabilities persist in a sector where trust is paramount.

Metric Adoption Rate
SPF Correctness 98.3%
DMARC Enforcement (p=reject) 50.0%
No DMARC Record 8.3%
MTA-STS Adoption 0%
DNSSEC Adoption 11.7%
Financial-SPF-Adoption

Despite near-perfect SPF implementation and leading DMARC enforcement, the fact that 1 in 12 financial institutions lacks any DMARC record is a major concern. This creates a loophole for sophisticated phishing attacks that can impersonate trusted banks to steal credentials and defraud customers. The complete absence of MTA-STS is another glaring hole, which leaves sensitive financial communications potentially unencrypted during transit.

Threat Scenario:

An attacker spoofs a major bank’s domain to send highly convincing emails about a new investment opportunity. Without a p=reject policy, these fraudulent emails land in customer inboxes, potentially leading to millions in lost funds and severe reputational damage.

The PowerDMARC Solution:

Our platform enables the remaining financial institutions to safely progress to full DMARC enforcement without risking the rejection of legitimate transactional emails. We provide guided MTA-STS and DNSSEC deployment to harden their infrastructure against interception and DNS poisoning, ensuring compliance with evolving regulations like DORA (Digital Operational Resilience Act).

Healthcare Sector: Patient Trust and Privacy on a Precarious Edge

The healthcare sector’s email security posture is lagging, which creates unacceptable risks to patient data, safety, and confidentiality.

Metric Adoption Rate
SPF Correctness 88.8%
DMARC Enforcement (p=reject) 20.9%
No DMARC Record 14.9%
MTA-STS Adoption 3.0%
DNSSEC Adoption 25.4%
Healthcare-DMARC-Adoption

Nearly 15% of healthcare domains lack DMARC, and less than 21% enforce it, which means attackers can easily impersonate hospitals, clinics, and labs. This exposes patients to phishing campaigns that can steal sensitive health information, commit insurance fraud, or solicit fraudulent payments. The near-total absence of MTA-STS means that emails that contain patient data are often not encrypted in transit. This is a huge compliance risk under GDPR.

Threat Scenario:

A patient receives a spoofed email from their hospital’s domain asking them to “verify their details” and pay an outstanding bill on a fake portal. This could lead to a breach of protected health information (PHI) and significant financial loss. This can trigger severe GDPR penalties.

The PowerDMARC Solution:

The PowerDMARC Solution: We provide healthcare organizations with a streamlined path to full DMARC enforcement, ensuring that only authenticated emails reach patients. Our hosted MTA-STS and SPF solutions simplify the protection of email in transit, helping providers meet GDPR obligations and safeguard patient trust.

Media Sector: The Frontline Against Disinformation

Belgian media outlets are a primary target for impersonation, yet their defenses are not robust enough to combat the threat of disinformation and phishing.

Metric Adoption Rate
SPF Correctness 100%
DMARC Enforcement (p=reject) 47.9%
No DMARC Record 8.3%
MTA-STS Adoption 8.3%
DNSSEC Adoption 22.9%

While SPF is perfect, less than half of media organizations are actively blocking fraudulent emails with DMARC. This creates a fertile ground for bad actors to distribute fake news, conduct phishing campaigns against journalists, or defraud subscribers by spoofing a trusted media brand. While MTA-STS adoption is the highest of any sector, it is still dangerously low.

Threat Scenario:

A spoofed email from a major news outlet announcing a fake national crisis could cause public panic and undermine democratic processes. Protecting the brand’s email channel is extremely important for maintaining journalistic integrity.

The PowerDMARC Solution:

We empower media organizations to defend their brand integrity with rapid DMARC policy enforcement. Our integrated MTA-STS solution secures email transport, protecting journalists and their sources from interception and surveillance.

Government Sector: Strong Foundations, Critical Enforcement Gaps

Government domains show a commitment to basic authentication, but a severe lack of enforcement leaves citizens and public services vulnerable.

Metric Adoption Rate
SPF Correctness 87.4%
DMARC Enforcement (p=reject) 19.4%
No DMARC Record 26.2%
MTA-STS Adoption 1.0%
DNSSEC Adoption 27.6%

A staggering 26.2% of government domains have no DMARC record, the highest of any major sector. Combined with a low enforcement rate of 19.4%, this means that impersonating government agencies is alarmingly straightforward for attackers. This directly enables tax scams, social engineering campaigns targeting public servants, and the spread of official-looking misinformation.

Threat Scenario:

Fraudulent emails that impersonate a tax authority or a public health agency can defraud citizens of their savings and erode trust in government institutions at a time when digital communication is more important than ever.

The PowerDMARC Solution:

Our platform helps government agencies rapidly achieve DMARC enforcement in line with EU cybersecurity directives. We simplify the deployment of MTA-STS and DNSSEC, ensuring sensitive citizen communications are protected from sender to receiver.

Energy Sector: Critical Infrastructure at Risk

As the backbone of the national economy, the energy sector’s email vulnerabilities pose a direct threat to national security.

Metric Adoption Rate
SPF Correctness 100%
DMARC Enforcement (p=reject) 17.4%
No DMARC Record 17.4%
MTA-STS Adoption 0%
DNSSEC Adoption 13.0%

The perfect SPF record masks a grave danger: a DMARC enforcement rate of only 17.4%. This means over 80% of energy companies are not blocking unauthorized emails. In a sector managing critical infrastructure, a single successful spear-phishing attack could serve as the entry point for a catastrophic ransomware event or supply chain disruption. The extremely low DNSSEC adoption further exposes this sector to DNS hijacking.

Threat Scenario:

An attacker spoofs the email of a key supplier and sends a fraudulent invoice to an energy company’s accounts payable department. The invoice contains a link to malware that, once activated, launches a ransomware attack on the company’s operational technology (OT) network, disrupting power distribution.

The PowerDMARC Solution:

Robust, layered email security is non-negotiable for critical infrastructure. We provide a comprehensive suite that integrates DMARC enforcement, MTA-STS for secure transit, and simplified DNSSEC validation to secure the energy sector’s communications from end to end.

Transport Sector: Exposed to Fraud and Disruption

Transport and logistics organizations are highly susceptible to invoice fraud and customer scams due to glaring holes in their email security.

Metric Adoption Rate
SPF Correctness 90.9%
DMARC Enforcement (p=reject) 29.5%
No DMARC Record 36.4%
MTA-STS Adoption 0%
DNSSEC Adoption 9.1%
BIMI Logo

The transport sector has the highest percentage of domains with no DMARC record at 36.4%. This is a massive, unprotected attack surface. Combined with zero MTA-STS adoption, it creates a high-risk environment for fraud. Attackers can impersonate airlines, shipping companies, and public transport operators to issue fake tickets, send fraudulent invoices, and phish for customer financial data.

Threat Scenario:

After a widely publicized flight delay, an attacker spoofs an airline’s domain and sends out a mass email offering compensation. The link directs customers to a phishing site designed to harvest credit card details and personal information. This can cause widespread financial damage and a PR nightmare for the airline.

The PowerDMARC Solution:

Our platform delivers the real-time monitoring and rapid DMARC policy enforcement that transport firms need. By moving quickly to p=reject and implementing our hosted MTA-STS solution, they can build secure, trusted email channels and protect their customers and revenue from fraud.

Education Sector: A Prime Target for Credential Theft

Universities and educational institutions, with their open networks and valuable research data, are prime targets, yet their defenses are among the weakest.

Metric Adoption Rate
SPF Correctness 87.5%
DMARC Enforcement (p=reject) 6.3%
No DMARC Record 15.6%
MTA-STS Adoption 0%
DNSSEC Adoption 9.4%

The education sector has the lowest DMARC enforcement rate at a dismal 6.3%. This, coupled with zero MTA-STS adoption, makes them vulnerable to credential harvesting campaigns that target students, faculty, and researchers. A single compromised account can lead to extensive data breaches, identity theft, and the loss of valuable intellectual property.

Threat Scenario:

An attacker impersonates the university’s IT department; he sends a convincing email that warns students and staff their accounts will be suspended unless they “re-verify” their credentials via a link. The phishing site obtains thousands of logins, which gives the attacker access to the university’s network, research data, and student records.

The PowerDMARC Solution:

The PowerDMARC Solution: Managing complex university email ecosystems is our specialty. PowerDMARC’s hosted DMARC and MTA-STS solutions streamline policy enforcement across countless departments and sending services, protecting students, staff, and valuable research data from cyber threats.

Telecommunications Sector: Protecting Customers and Core Services

As the gatekeepers of communication, telecom providers are a high-value target, but their email security posture has significant room for improvement.

Metric Adoption Rate
SPF Correctness 87.6%
DMARC Enforcement (p=reject) 24.7%
No DMARC Record 20.2%
MTA-STS Adoption 1.1%
DNSSEC Adoption 14.6%
BIMI Logo

With a DMARC enforcement rate of just under 25%, three-quarters of telecom providers are not actively blocking fraudulent emails sent on their behalf. This exposes millions of subscribers to sophisticated scams, including phishing for account credentials, fraudulent billing notices, and attempts to initiate illegal SIM swaps. This can lead to the takeover of a victim’s entire digital life.

Threat Scenario:

A customer receives a legitimate-looking email from their mobile provider that offers a special discount on a new phone. The email is a spoof, and the link leads to a site that captures their account login and password. The attacker then uses this information to perform a SIM swap; he takes over the victim’s phone number to bypass two-factor authentication for their bank accounts.

The PowerDMARC Solution:

Our hosted DMARC and guided MTA-STS deployment secure the email infrastructure of telecom providers. By achieving p=reject, they can shut down impersonation attacks, protect their customers from fraud, and preserve the integrity of their brand.

Other Sectors: A Diverse and Vulnerable Landscape

This broad category, encompassing small-to-medium enterprises (SMEs), retail, and niche businesses, forms the backbone of the Belgian economy but is dangerously exposed.

Metric Adoption Rate
SPF Correctness 100%
DMARC Enforcement (p=reject) 20.0%
No DMARC Record 20.0%
MTA-STS Adoption 0%
DNSSEC Adoption 0%
BIMI Logo

While this segment shows perfect SPF adoption, it’s a misleading indicator of security. With 1 in 5 domains having no DMARC and virtually no enforcement or advanced protocols, these businesses are prime targets for cybercriminals. Attackers view SMEs as high-reward, low-resistance targets, ideal for Business Email Compromise (BEC) and invoice fraud schemes that can be financially devastating.

Threat Scenario:

A cybercriminal spoofs the email address of the managing director of a mid-sized manufacturing company. They send an urgent email to the finance clerk, instructing them to immediately pay an attached invoice for a new “overseas supplier.” Because the domain is not protected by DMARC enforcement, the fraudulent email bypasses spam filters. This leads to a significant, unrecoverable wire transfer.

The PowerDMARC Solution:

We enable SMEs and diverse businesses to achieve enterprise-grade email security without needing a dedicated IT security team. Our platform offers a fast-tracked, guided implementation of DMARC and MTA-STS, safeguarding operational continuity, protecting finances, and securing brand reputation.

As we analyzed Italy’s email security landscape, five clear trends emerged: patterns that highlight both progress and persistent gaps. Here’s what stood out:

The False Shield of Partial DMARC

Many Italian organizations proudly publish a DMARC record, but it’s often left at a weak “monitoring-only” (p=none) policy. This creates a false sense of security, while spoofed emails continue to slip through.

Expert insight:

“DMARC set at p=none is like having a seatbelt but never tightening it. We strongly advise progressing from p=none to stricter policies like p=quarantine or p=reject to keep the hackers’ hands away from your email communications.”

Yunes Tarada, Service Delivery Manager, PowerDMARC

Expert insight:

“You can’t achieve a proper email authentication framework without a valid SPF record. Whether you use a free tool to generate and check your SPF record, or do so manually, the means don’t matter. All that matters is having an SPF record that’s free of errors and misconfigurations.”

Maitham Al Lawati, CEO, PowerDMARC

The Fragility of SPF

High SPF adoption masks an underlying complexity. SPF records are limited to 10 DNS lookups. As organizations adopt more third-party services (for marketing, HR, etc.), this limit is easily exceeded, which causes the SPF record to fail. This leads to legitimate emails being rejected and creates a strong case for automated management tools that can flatten SPF records.

MTA-STS: The Unseen Shield

At just 2.1% adoption, MTA-STS is Belgium’s most significant blind spot. If SPF and DMARC are the passport check for an email, MTA-STS is the armored vehicle that protects it during transit. Without it, emails can be intercepted or subjected to “downgrade attacks,” where encryption is stripped away. This lets an attacker read them in plain text.

Expert insight:

“So many talk about SPF and DMARC but completely disregard MTA-STS. It’s essential to have this security standard in place to ensure the secure transmission of emails over an encrypted SMTP connection.”

Ayan Bhuiya, Operations & Delivery Shift Lead, PowerDMARC

Expert insight:

“We consistently see low DNSSEC adoption across different sectors in various countries and regions. This is alarming given the number of DNS hijacking attacks and poses serious concerns to corporate and national security.”

 Gegham Hakobian, Email Security Expert, PowerDMARC

DNSSEC: The Forgotten Foundation

Low DNSSEC adoption (21.4%) is a foundational weakness. Without it, attackers can execute DNS hijacking attacks and redirect users from a legitimate domain to a malicious one. This can undermine all other email security controls, as an attacker could redirect a company’s mail servers to one they control.

Benchmarking Belgium: A European Perspective

Belgium’s progress is solid but places it in the middle tier of European nations. It leads some peers in DMARC awareness but lags significantly in the important areas of enforcement and transport-layer security.

CountrySPF CorrectnessDMARC Enforcement (p=reject)MTA-STS AdoptionDNSSEC Adoption

Belgium
90.1%24.7%2.1%21.4%

Netherlands
70%23.2%0.9%37.7%

Sweden
85%29.7%2.9%25.9%

Norway
85.2%29.0%4.4%45.6%

Italy
91%16.7%1%3.5%

Note: Comparative data is based on the 2024 and 2025 PowerDMARC DMARC Adoption reports.

The data reveals that while Belgium’s SPF adoption is strong, its DMARC enforcement is comparable to the Netherlands and Italy but trails Sweden and Norway. When it comes to the advanced protocols, Italy is the one that lags significantly behind in terms of DNSSEC adoption, whereas the MTA-STS percentages are more or less comparable across these 5 European countries.

Conclusion: From Awareness to Action

Belgium stands at a critical turning point. The widespread awareness of DMARC and strong foundational SPF adoption provides an excellent launchpad. However, awareness is not protection. The journey must now shift decisively from monitoring to enforcement and from authentication to encryption.

The risks of inaction are clear: financial losses from business email compromise, erosion of customer trust due to phishing, operational disruption from ransomware, and non-compliance with data protection regulations. The next vital steps for securing Belgium’s email trust fabric are the widespread deployment of MTA-STS and a renewed focus on DNSSEC.

How Can PowerDMARC Help

PowerDMARC offers a fully integrated platform that empowers Belgian organizations to bridge the gap between awareness and true email resilience. We provide the fastest, most reliable path to DMARC enforcement, MTA-STS adoption, and DNSSEC validation. Our managed solutions eliminate complexity, provide real-time threat intelligence, and secure your email channels end-to-end.

Don’t wait for an attack to prove the need for enforcement. Contact [email protected] or book a one-on-one session with our experts today to build a resilient email security future for your organization.