Australia DMARC & MTA-STS Adoption Report 2025

In 2024, the Australian Signals Directorate (ASD) responded to more than 1,200 high-priority cyber incidents, an 11% surge that underscores a nation under digital siege. As of late 2025, the financial toll of this offensive has become staggering: the average cost of a cybercrime report for large Australian businesses has skyrocketed by 219%, now exceeding $200,000 per incident. With a new cybercrime report lodged every six minutes, the Australian government has moved from recommendation to regulation.

The commencement of the Security of Critical Infrastructure (SOCI) Rules in April 2025 marks a definitive line in the sand. Cybersecurity is no longer a voluntary “IT checkbox” but a legal mandate under the 2023–2030 Australian Cyber Security Strategy. Yet, despite this regulatory push, a fundamental paradox remains: while most Australian domains have established basic security records, nearly half fail to actually enforce them, leaving the “digital arteries” of the nation’s economy, its email systems, wide open to exploitation.

This report provides a sector-by-sector technical analysis of Australia’s email and domain security posture, exposing the structural gaps in DMARC enforcement and transit encryption that continue to fuel a $2 billion annual scam epidemic.

Report Request - Australia DMARC Adoption

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Name*

Overall National Posture: The Enforcement Gap

Australia shows strong “entry-level” adoption, with nearly all domains having some form of SPF and DMARC record. However, the “Bottom Line” reveals that most organizations are in a passive state, monitoring threats rather than blocking them.

SPF

Australia SPF

DMARC

Australia-DMARC

MTA-STS

Australia MTA-STS

DNSSEC

Australia DNSSEC

National Adoption Metrics

Protocol ComponentRateRisk Implications
SPF Correctness92.3%Low risk of legitimate mail being marked as spam.
DMARC Enforcement (p=reject)46.7%CRITICAL: 53.3% of domains cannot stop spoofing.
MTA-STS Adoption5.8%High risk of “Man-in-the-Middle” interception.
DNSSEC Adoption6.8%Vulnerable to DNS hijacking and cache poisoning.

Analysis: While 9 out of 10 domains have DMARC, only half use it to actually block unauthorized emails. This creates a false sense of security where IT teams see the “check-box” for DMARC but remain vulnerable to sophisticated impersonation.

Start 15-day trial

Sector-Specific Vulnerabilities and Performance

While Australia boasts a high baseline for email authentication, a closer look at individual industries reveals a massive “Enforcement Gap.” Sectors guarding the nation’s most sensitive data, from patient records to government IDs, often rely on passive monitoring rather than active blocking, creating opportunities for sophisticated phishing and interception.

1. Healthcare: Safeguarding Patient Privacy

The 2024 Medibank breach remains a stark reminder of how spoofed vendor communications can lead to catastrophic data leaks. While Healthcare has a high SPF base, the lack of transit encryption and DNS security creates a significant blind spot for patient records.

Healthcare Security Metrics

Metric Adoption Rate Status
SPF Correctness 93.3% High
DMARC Enforcement (p=reject) 46.7% Moderate
No DMARC Record 6.7% Vulnerable
MTA-STS Adoption 2.2% Negligible
DNSSEC Adoption 0% Non-existent
Healthcare SPF

The Threat

With 97.8% of healthcare domains lacking MTA-STS, patient data sent via email is susceptible to “Man-in-the-Middle” (MiTM) attacks. Attackers can intercept or alter health records in transit, leading to identity theft or incorrect medical billing.

The PowerDMARC Solution

  • Hosted DMARC:
    Allows hospitals to move to p=reject without risking the delivery of critical automated patient notifications.
  • MTA-STS & TLS-RPT:
    Automates the encryption of emails in transit, ensuring compliance with the Privacy Act and protecting PHI from interception.

2. Banking & Finance: Combating $1B in Annual Losses

The finance sector leads in DNSSEC adoption to prevent site hijacking, but it still struggles with “passive” DMARC policies that do not actively block fraudulent emails.

Banking & Finance Metrics

Metric Adoption Rate Status
SPF Correctness 95.3% High
DMARC Enforcement (p=reject) 51.6% Moderate
No DMARC Record 4.7% Vulnerable
MTA-STS Adoption 3.1% Low
DNSSEC Adoption 14.1% Leading (relative)

The Threat

Since nearly half of the sector does not enforce p=reject, scammers can send emails that perfectly mimic a bank’s domain. These “mule account” phishes trick customers into transferring funds to criminal-controlled accounts.

The PowerDMARC Solution

  • SPF Flattening:
    Financial institutions often use multiple third-party vendors (marketing, CRM). PowerDMARC prevents SPF “Too many DNS lookups” errors, ensuring emails are always authenticated.
  • AI-Threat Intelligence:
    Maps out the global sources sending mail on the bank’s behalf, identifying and blocking unauthorized IP addresses in real-time.

3. Government: The High-Enforcement Benchmark

Agencies are digitizing citizen services faster than they are securing the communication channels that deliver them.

Government Metrics

Metric Adoption Rate Status
SPF Correctness 97.7% Excellent
DMARC Enforcement (p=reject) 70.5% Strong
No DMARC Record 1.5% Secure
MTA-STS Adoption 18.2% Moderate
DNSSEC Adoption 6.1% Low

The Threat

Despite high DMARC enforcement, the 81.8% gap in MTA-STS allows attackers to downgrade email encryption to clear text. This exposes sensitive communications between citizens and agencies like the ATO or Centrelink.

The PowerDMARC Solution

  • Hosted MTA-STS & DNSSEC:
    Simplifies the complex deployment of these protocols across various government departments, aligning with the     ASD Essential Eight maturity levels.
  • Compliance Reporting:
    Provides automated reports for auditors to prove that email channels are secured according to federal standards.
Book a demo

4. Telecommunications: High Exposure for Subscriber Data

Telcos are the gatekeepers of identity, yet they currently exhibit the lowest DMARC enforcement rates among critical sectors, inviting SIM-swapping and credential theft.

Telecommunications Metrics

Metric Adoption Rate Status
SPF Correctness 84.3% Low
DMARC Enforcement (p=reject) 24.1% Critical Risk
No DMARC Record 12.0% High Exposure
MTA-STS Adoption 1.2% Negligible
DNSSEC Adoption 10.8% Moderate

The Threat

1 in 8 telcos has no DMARC record, making it easy for hackers to send fake bill alerts. Once a user clicks a malicious link, their credentials are stolen, often leading to SIM swaps that bypass MFA for bank accounts.

The PowerDMARC Solution

  • Managed DMARC Services:
    Provides a phased roadmap to take telcos from     p=none to p=reject, blocking millions of spoofed emails at the source.
  • DMARC Forensic RUF Reports:
    Gives telcos visibility into the specific phishing campaigns targeting their subscribers.

5. Transport & Logistics: Stopping the Invoice Fraud Highway

With high volumes of international billing, the transport sector is a prime target for Business Email Compromise (BEC), yet it lags significantly in email authentication.

Transport & Logistics Metrics

Metric Adoption Rate Status
SPF Correctness 90.2% High
DMARC Enforcement (p=reject) 22.0% Critical Risk
No DMARC Record 17.1% High Exposure
MTA-STS Adoption 1.2% Negligible
DNSSEC Adoption 4.9% Low

The Threat

A staggering 17.1% of domains lack DMARC. This allows attackers to spoof logistics giants (e.g., Qantas Freight or Toll), injecting fraudulent invoices into the supply chain that result in millions of dollars in wire fraud.

The PowerDMARC Solution

  • Automated SPF Management:
    Secures complex logistics networks that rely on third-party shippers, ensuring all legitimate mail is delivered while spoofers are blocked.
  • BIMI (Brand Indicators for Message Identification):
    Adds the company logo to authenticated emails in the recipient’s inbox, boosting trust for bill-paying customers.

6. Media: Defending Trust in the Information Age

The media sector faces a unique threat: the weaponization of its domains to spread disinformation. While DMARC adoption is decent, the lack of encryption is a liability for source protection.

Media Metrics

Metric Adoption Rate Status
SPF Correctness 91.2% High
DMARC Enforcement (p=reject) 63.2% Strong
No DMARC Record 5.9% Moderate
MTA-STS Adoption 0% Non-existent
DNSSEC Adoption 4.4% Low
BIMI Logo

The Threat

Zero adoption of MTA-STS means journalist-source communications are vulnerable to state-sponsored interception. Furthermore, domains without enforcement can be used to send fake press releases that cause stock market volatility or social panic.

The PowerDMARC Solution

  • Hosted MTA-STS:
    Secures the journalist’s “digital footprint” by ensuring all communications are encrypted, protecting sources from prying eyes.
  • Enterprise-Grade Dashboard:
    Allows media conglomerates to manage hundreds of subdomains and international news desks from a single pane of glass.
Start 15-day trial

7. Education: Protecting IP and Research

Australian universities are global leaders in research, making them hotspots for intellectual property (IP) theft via sophisticated credential harvesting.

Education Metrics

Metric Adoption Rate Status
SPF Correctness 91.4% High
DMARC Enforcement (p=reject) 38.3% Moderate
No DMARC Record 8.6% Moderate
MTA-STS Adoption 3.7% Low
DNSSEC Adoption 6.2% Low

The Threat

Low enforcement (38.3%) allows attackers to spoof “IT Password Reset” emails. When researchers or students log in to these fake portals, their credentials are used to access internal university databases and steal trade secrets or research data.

The PowerDMARC Solution

  • Domain Discovery:
    Automatically finds all “shadow IT” domains registered by students or faculty that might be lacking security controls.
  • Managed Services:
    Offloads the technical burden of DMARC maintenance from overstretched university IT departments.

Under the Hood: Four Structural Weaknesses

Beyond sector-specific risks, the Australian email ecosystem is hindered by four systemic vulnerabilities that facilitate the $2 billion yearly scam toll.

1. The “Compliance Trap” of p=none

While 92.3% of Australian domains have DMARC, only 46.7% enforce a strict policy. This leaves a massive “monitoring-only” gap where organizations can see threats but cannot stop them.

“A policy of p=none is like installing a security camera but leaving the front door unlocked. You can watch the burglars enter, but you are powerless to stop them. Australia’s adoption rate is high, but the job is only half-done until the policy is shifted to reject.”

Maitham Al Lawati, CEO, PowerDMARC

“Large Australian firms often break their own security as they grow. Adding a new marketing tool can push you over the 10-lookup limit, causing critical invoices to land in spam. SPF Flattening is no longer a luxury; it’s a requirement for operational stability.”

Yunes Tarada, Service Delivery Manager, PowerDMARC

2. SPF Complexity and the 10-Lookup Limit

92.3% of Australian domains show correct SPF, but large enterprises frequently hit the “DNS lookup limit” due to sprawling third-party tech stacks (CRMs, payment gateways). This leads to random authentication failures that break deliverability.

3. MTA-STS: The Encryption Blind Spot

With just 5.8% national adoption, Australia has a near-total blind spot regarding transport security. This allows “Downgrade Attacks,” where criminals force servers to drop encryption and transmit sensitive emails in plain text.

“Opportunistic encryption (STARTTLS) is not enough. Without MTA-STS, it is trivial for an attacker to strip away security and read corporate communications in transit. This is a primary risk for any entity subject to SOCI regulations.”

Ayan Bhuiya, Operations & Delivery Shift Lead, PowerDMARC

DNS hijacking can shatter decades of brand trust in minutes. DNSSEC is the guardian of digital identity, ensuring your customers connect with the real entity, not a criminal clone. It’s a fundamental layer of brand reputation management.”

Ahona Rudra, Marketing Manager, PowerDMARC

4. DNSSEC: The Weak Foundation

DNSSEC adoption sits at a meager 6.8%. Without this, the internet’s directory system is unprotected, allowing attackers to hijack entire domain flows and redirect them to rogue servers.

Contact us

Global Benchmarking: Australia in Context

While Australia shows high foundational compliance, its enforcement rates tell a different story compared to global peers. Australia ranks as a “Passive Leader,” high on visibility, but trailing on active defense.

The Global Leaderboard: 2025 Data

CountrySPF CorrectDMARC AdoptionDMARC Enforcement (p=reject)MTA-STS (Encryption)
Australia 🇦🇺92.3%92.3%46.7%5.8%
Sweden 🇸🇪85.0%77.9%29.9%2.9%
Japan 🇯🇵95.0%74.6%9.2%0.5%
Norway 🇳🇴85.2%83.1%29.0%2.8%
Peru 🇵🇪86.1%66.0%17.9%0.6%
Nigeria 🇳🇬70.3%45.9%14.2%0.0%

Critical Insights from Australia

1. The Australian Edge

Australia has significantly higher DMARC adoption and enforcement rates than Japan and many European nations, likely due to the aggressive push of the ASD Essential Eight.

2. The Paradox of Visibility

Despite having 92.3% DMARC adoption, 53% of domains not at p=reject are still wide open to impersonation.

3. The Encryption Crisis

Even though Australia leads Japan in MTA-STS, a 5.8% rate is still an “open door” for interception, significantly lagging behind the security requirements of modern digital economies.

PowerDMARC Perspective

“Australia has built a technical foundation that outpaces much of the world, yet the ‘Enforcement Gap’ remains a multi-billion dollar vulnerability. The urgent imperative for 2026 is to move from passive visibility to active defense. By converting high DMARC adoption into strict ‘p=reject’ enforcement and closing the MTA-STS encryption gap, Australian organizations can transform their email domains from vulnerable targets into hardened, trusted communication channels that align with the national cyber security strategy.”

Conclusion: From Metrics to Action

The 2025 data confirms that Australia has built the foundation (SPF) but has not yet finished the walls (DMARC Enforcement) or the roof (MTA-STS). To move from a “Passive Leader” to an “Active Defender,” organizations must:

Automate the Journey: Use Hosted DMARC to move from p=none to p=reject without breaking business workflows.

Seal the Interception Gap: Implement Hosted MTA-STS to ensure all communications with citizens and partners are encrypted.

Flatten SPF: Prevent DNS lookup errors to ensure 100% email deliverability. Hosted SPF services can help ensure correct SPF setup.

Book a demo Contact us

Turn Visibility into Defense Today

Australia’s high adoption rates prove that organizations recognize the threat; they just need the right partner to flip the switch. Don’t let your domain remain a “Paper Tiger” that watches attacks happen without stopping them. Move from passive monitoring to active protection before the next major breach hits.

Contact us at PowerDMARC to start your journey to enforcement.

Start 15-day trial Book a demo