Brazil DMARC & MTA-STS Adoption Report 2026

In 2025, Latin America witnessed a staggering 108% surge in cyberattacks, with Brazil remaining a prime target for regional and global threat actors as organizations across the region now face an average of 2,640 weekly attacks

While foundational awareness and technical compliance exist, the lack of strict active policy enforcement has created multi-million dollar vulnerabilities across Brazil’s most vital economic sectors, leaving corporate and public communication open to active exploitation.

Report Request - Brazil DMARC Adoption

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Name*

At a Glance: Key Findings Across Brazil

Brazil SPF

SPF: 92.1% correct – A solid technical foundation established nationwide, though minor misconfigurations persist.

DMARC: While adoption is widespread, only 20.7% of domains enforce a strict “reject” policy, leaving a significant portion of domains under-protected.

Brazil MTA-STS

MTA-STS: A massive national blind spot with 99.3% non-adoption, leaving transport-layer email traffic open to interception.

DNSSEC: 21.9% enabled – Progressing ahead of many regional peers, yet leaving 78.1% of domains vulnerable to DNS hijacking and redirection.

Start 15-day trial

Sector-by-Sector Analysis

1. Financial: High Awareness, Low Encryption

As the primary target for advanced financial fraud, Brazilian banking institutions lead the country in DMARC enforcement, yet they remain exposed to transport-layer interception.

Metric Status
SPF 95.2% correct
DMARC Reject 39.2% (National Leader)
DMARC Gap 5.6% have no record
MTA-STS 0.0% adoption
DNSSEC 28.0% enabled
Banking SPF Adoption - Brazil

Threat Scenario

With a 100.0% MTA-STS gap across the banking sector, transactional data travels via unencrypted paths. Attackers can execute “Downgrade Attacks” to strip opportunistically deployed encryption, intercepting high-value transaction confirmations to reroute capital to fraudulent accounts.

The PowerDMARC Solution

With automated MTA-STS hosting, PowerDMARC forces all inbound email into encrypted TLS 1.2+ channels, removing the risk of Man-in-the-Middle (MiTM) interception and securing highly sensitive financial communication records.

2. Healthcare: Most Vulnerable Sector

Managing sensitive patient information with low strict enforcement makes this sector a prime target for data extortion and identity theft.

Metric Status
SPF 90.2% correct
DMARC Reject 19.5%
DMARC Gap 13.4% lack DMARC entirely
MTA-STS 0.0% adoption
DNSSEC 17.1% enabled
Healthcare DMARC Adoption - Brazil

Threat Scenario

A combination of a missing DMARC record or weak policies allows attackers to spoof hospital domains, delivering realistic “Patient Care Updates” containing malicious payloads to internal staff. A single successful compromise can trigger ransomware that locks critical hospital operational networks.

The PowerDMARC Solution

We guide healthcare providers through a structured implementation path to move smoothly from monitor mode to a strict p=reject policy, neutralizing phishing campaigns before they reach clinical staff inboxes.

3. Government: Strong Foundations, Passive Defense

Official communications carry the weight of the state. While government networks show excellent foundational setup, soft monitoring rules leave an opening for manipulation.

Metric Status
SPF 98.8% correct
DMARC Reject 20.7%
DMARC Policy 53.7% at “quarantine”
MTA-STS 3.7% valid
DNSSEC 57.3% enabled (Sector Leader)
Government MTA-STS Adoption - Brazil

Threat Scenario

With 53.7% of government domains relying on a “quarantine” policy, spoofed state emails are routed to spam or junk folders rather than being outright blocked. During a public event, threat actors can successfully impersonate official channels to spread false directives to citizens who monitor their secondary inbox folders.

The PowerDMARC Solution

Our multi-tenant dashboard lets central agencies monitor and secure vast networks of subdomains (e.g., .gov.br) from a single panel, simplifying the transition from “quarantine” to strict “reject.”

Book a demo

4. Education: Institutional Exposure

Academic centers host vast sums of research intellectual property but show noticeably relaxed enforcement metrics.

Metric Status
SPF 92.9% correct
DMARC Reject 10.6%
DMARC Policy 38.8% at “quarantine”
MTA-STS 1.2% valid
DNSSEC 22.4% enabled
Education DNSSEC Adoption - Brazil

Threat Scenario

Attackers exploit low strict enforcement to spoof academic departments, distributing look-alike “Tuition Payment Portal” updates to students or fake peer-review alerts to faculty to siphon login credentials and steal proprietary research.

The PowerDMARC Solution

Academic institutions often exceed the 10-DNS lookup limit due to decoupled departmental cloud software tools. PowerSPF compresses these configurations, ensuring legitimate university correspondence is never accidentally dropped due to technical limitations.

5. Energy: Critical Infrastructure Risks

The energy sector displays strong basic alignment but leaves the supply chain exposed to infiltration.

Metric Status
SPF 88.9% correct
DMARC Reject 19.0%
DMARC Gap 15.9% lack DMARC entirely
MTA-STS 0.0% adoption
DNSSEC 22.2% enabled

Threat Scenario

With 15.9% of energy domains completely lacking DMARC protection, criminals can easily spoof equipment manufacturers and parts suppliers. These fake communications are used to issue fraudulent financial requests or introduce untrusted system files designed to pivot into operational technology environments.

The PowerDMARC Solution

PowerDMARC binds DMARC validation with hosted MTA-STS protocols, verifying sender legitimacy while guaranteeing that messages passing through outside nodes remain fully encrypted.

6. Media: Information Integrity at Risk

Media institutions face high visibility, where weak email controls allow bad actors to weaponize an outlet’s public trust.

Metric Status
SPF 90.8% correct
DMARC Reject 6.4% (Sector Low)
DMARC Gap 41.8% have no record
MTA-STS 0.0% adoption
DNSSEC 8.5% enabled
Media DMARC Adoption - Brazil

Threat Scenario

A severe 41.8% absence of DMARC records lets attackers forge media domain names to distribute false stories to public figures, businesses, or wire services, causing unnecessary reputational distress or market fluctuations.

The PowerDMARC Solution

We help media companies configure Brand Indicators for Message Identification (BIMI), placing verified corporate logos directly inside recipient inboxes as a certified stamp of authenticity.

Start 15-day trial

7. Telecommunications: High Quarantine, Low Enforcement

Telecoms operate as the digital foundation of the country, yet a reactive approach places millions of cellular and internet subscribers at risk.

Metric Status
SPF 82.3% correct
DMARC Reject 27.4%
DMARC Policy 25.8% at “quarantine”
MTA-STS 0.0% adoption
DNSSEC 11.3% enabled
BIMI Logo

Threat Scenario

Scammers masquerade as cellular network operators to issue emergency “Suspended Account” notices. Because over a quarter of telecom domains sit passively at “quarantine” or have structural errors, phishing messages bypass gateway filters to extract subscriber data and facilitate SIM-swap scams.

The PowerDMARC Solution

We enforce an immediate transition to p=reject across carrier ecosystems, stopping attackers from leveraging legitimate telecom identifiers to exploit the subscriber base.

8. Transport: Moving Toward Security

Logistics operators rely heavily on continuous information exchange; any breakdown in trust can disrupt physical supply lines.

Metric Status
SPF 94.2% correct
DMARC Reject 24.4%
DMARC Gap 12.9% lack DMARC entirely
MTA-STS 1.2% valid
DNSSEC 12.8% enabled
Telecomm SPF Adoption - Brazil

Threat Scenario

Missing and inactive DMARC records give criminals an easy opening to copy transport company letterheads, sending modified bills of lading or routing details to distribution partners to siphon freight payments into private accounts.

The PowerDMARC Solution

PowerDMARC safeguards the commercial landscape by ensuring every delivery manifest and automated invoice is authenticated and verified before it arrives at a partner gateway.

Under the Hood: Four Structural Weaknesses

1. The “Compliance Trap” of p=none

Many Brazilian enterprises configure a basic DMARC record but stop short at a p=none policy. This grants visibility over domain traffic but provides zero preventative barriers against outbound domain spoofing.

Expert insight:

“While Brazil has built a highly commendable technical baseline for domain visibility, organizations remain highly vulnerable to spoofing campaigns until they actively transition to an enforced ‘reject’ state. Real defense isn’t achieved by just monitoring the threat; it requires denying entry at the gateway.”

Maitham Al Lawati, CEO, PowerDMARC

Expert insight:

“The complexity of modern enterprise stacks means large corporate groups are constantly facing lookup threshold errors. Implementing automated SPF Flattening is a core requirement for protecting delivery continuity and protecting sender trust.”

Yunes Tarada, Service Delivery Manager, PowerDMARC

2. SPF Complexity and the 10-Lookup Limit

As local corporations integrate a broad array of third-party cloud apps, payroll processors, and marketing tools, their SPF records regularly exceed the standard 10-DNS-lookup limit. This structural failure causes legitimate corporate communications to fail validation checks and get dropped into spam.

3. MTA-STS: The Encryption Blind Spot

With 99.3% of Brazilian domains operating without MTA-STS, email transport relies on opportunistic encryption. This exposes communication to downgrade attacks where data is extracted in clear plaintext.

Expert insight:

“Relying on opportunistic encryption creates a false sense of security. Without MTA-STS enforcement, a threat actor can easily force mail transfers into clear text via network-level manipulation. For Brazilian operators, deploying managed encryption paths is critical to maintaining end-to-end payload confidentiality.”

Ayan Bhuiya, Operations & Delivery Shift Lead, PowerDMARC

Expert insight:

“DNS hijacking can erase years of earned corporate trust in a matter of seconds. Implementing DNSSEC provides the cryptographic verification needed to guarantee that internet traffic reaches your legitimate servers rather than an adversary’s replica.”

Ahona Rudra, Marketing Manager, PowerDMARC

4. DNSSEC: The Foundation of Brand Trust

While Brazil’s 21.9% overall adoption shows forward momentum, the remaining 78.1% gap leaves companies exposed to malicious path redirection and cache poisoning attacks.

Contact us

Global Benchmarking: Brazil in Context

Brazil presents itself as a structurally sound but passive participant in global email security: possessing exceptional foundational accuracy (SPF) and notable progress in DNSSEC, but lingering behind in active transport encryption (MTA-STS) and strict automated enforcement (DMARC Reject).

The Global Leaderboard: 2026 Comparative Data

Country SPF Correct DMARC Reject MTA-STS DNSSEC
Brazil 92.1% 20.7% 0.7% 21.9%
Ecuador 96.1% 24.9% 1.4% 4.8%
Australia 92.3% 46.7% 5.8% 6.8%
Poland 98.9% 21.2% 0.9% 15.7%
Netherlands 70.0% 23.2% 0.9% 37.7%
Italy 91.0% 16.7% 1.0% 3.5%
Japan 95.0% 9.2% 0.5% 16.4%

Brazil in the Global Spotlight: 2026 Analysis

1
The Foundational Disconnect

Brazil demonstrates strong basic alignment with SPF accuracy at 92.1%, matching or beating several global peers like Italy (91.0%). However, its true enforcement rate (20.7% Reject) reveals a distinct execution gap compared to leaders like Australia (46.7%). Brazilian organizations are excellent at listing valid servers, but hesitant to block unauthorized ones.

2
The Cryptographic Lead

Brazil outpaces many industrial nations in DNSSEC adoption, with an overall rate of 21.9%, surpassing Poland (15.7%), Japan (16.4%), and Ecuador (4.8%). This indicates strong infrastructure oversight within local registry environments, providing a solid foundation for broader security protocols.

3
The Encryption Chasm

Despite strong DNSSEC awareness, MTA-STS adoption stands at a critical low of 0.7%. Similar to global trends seen in Japan (0.5%) and Poland (0.9%), this shows that secure transport-layer pathing remains an unaddressed exposure across nearly all sectors.

PowerDMARC Perspective

“Brazil has established an impressive cryptographic baseline through its DNSSEC adoption, yet the surrounding enforcement gap remains a significant vulnerability. Local organizations excel at identity identification but fall behind on active perimeter defense. The clear directive is to transition from passive observation to absolute enforcement by converting existing visibility configurations into hardened p=reject policies.”

Conclusion: From Metrics to Action

The 2026 data indicate that Brazil has built a strong technical foundation, but the defensive perimeter remains incomplete. To safeguard its digital future, organizations should focus on three primary upgrades:

PowerDMARC Enterprise Capabilities

Advance Past Monitoring

High SPF and baseline DMARC deployment mean little if spoofed mail continues to reach user inboxes. Transitioning domains from p=none to p=reject via Hosted DMARC ensures unauthorized mail is blocked at the gateway.

Secure In-Transit Data

With 99.3% of the network exposed to transport tampering, deploying Hosted MTA-STS is vital to guarantee that business communications remain secure against interception.

Maintain Operational Flow

Eliminate lookup configuration errors that can disrupt legitimate corporate correspondence. Deploying Hosted SPF preserves delivery reliability as cloud environments grow more complex.

Book a demo Contact us

Research & Data Sources

PowerDMARC Methodology

DNS Record Analysis

Active DNS queries across domain samples from all 8 sectors, retrieving and validating SPF, DMARC, MTA-STS, and DNSSEC records per relevant RFC standards.

Sector Sampling

Domains identified from publicly available registries and sector listings across Financial, Healthcare, Government, Education, Energy, Media, Telecommunications, and Transport.

Global Benchmarking

All benchmark figures sourced from PowerDMARC’s published country reports for Australia, Poland, the Netherlands, Italy, and Japan, using a consistent DNS-analysis methodology.

Risk Classification

Sector risk ratings derived from a composite of p=reject adoption, share of domains with no DMARC record, SPF misconfiguration, and poor MTA-STS adoption rate across analyzed domains in Brazil.

Book a demo Contact us

Turn Visibility into Defense Today

Brazil’s high technical adoption rates prove that the country’s IT administrators are among the most capable in the region; they simply need the mandate and the tools to flip the switch on enforcement.

Don’t allow your domain to remain a sophisticated system that watches a breach happen but is powerless to stop it. Secure your reputation and your data before the next major cross-border phishing campaign targets your industry.

Contact us at PowerDMARC to start your journey from monitoring to absolute enforcement.

Start 15-day trial Book a demo