France DMARC & MTA-STS Adoption Report 2026

French organizations face a shifting cyber threat landscape. While domestic IT teams excel at configuring basic records, a general hesitation to enforce strict security policies leaves communication channels highly exposed.

This vulnerability has come under the spotlight following a major policy update from La Poste (laposte.net), France’s national email provider. The platform now strictly requires SPF, DKIM, and DMARC alignment for all inbound senders. For French businesses, this means that ignoring email security is no longer an option: any messages sent without proper authentication are automatically redirected to spam folders or blocked entirely.

You can read the full details on compliance guidelines in this guide to La Poste’s email authentication requirements.

At a Glance: Key Findings Across France

Based on the comprehensive baseline data compiled for the French digital ecosystem, the national email security posture reveals the following trends:

France-SPF

SPF: 95.6% correct. A near-universal technical alignment exists nationwide, leaving only a minor fraction of domains misconfigured (4.4% incorrect).

DMARC: While 87.0% of domains have initiated some form of DMARC record, only 28.3% actively enforce a strict “reject” policy. The remaining landscape remains dangerously exposed, sitting under monitoring-only p=none (35.3%), soft protective p=quarantine (22.2%), misconfigured parameters (1.2% incorrect), or completely missing any DMARC protection (13.0% no record).

MTA-STS: A massive nationwide blind spot with 97.4% non-adoption, leaving transport-layer email traffic highly vulnerable to interception across the country.

DNSSEC: Only 17.9% enabled, leaving a staggering 82.1% of domains vulnerable to domain hijacking, malicious traffic redirection, and cache poisoning.

Sector-by-Sector Analysis

1. Banking: Leading Enforcement with Transport Gaps

As prime targets for high-value financial fraud, French banking institutions lead the country in strict DMARC deployment, though major transport-layer exposures remain.

Metric Status 
SPF 100.0% correct (0.0% incorrect)
DMARC Reject 63.3% (National Leader)
DMARC Policies 20.2% at “quarantine”, 8.9% at “none”
DMARC Gap 7.6% have no record
MTA-STS 0.0% valid (100.0% lack record)
DNSSEC 12.7% enabled (87.3% disabled)
Banking-DMARC-Adoption---France

Vulnerability Exposure

While banking features an impressive 63.3% active rejection rate, nearly a tenth of the sector relies on monitoring-only parameters (p=none at 8.9%) or has no DMARC record at all (7.6%). Additionally, with 100.0% of financial institutions failing to deploy MTA-STS, attackers can intercept transactional receipts and financial reports using transport-layer downgrade attacks.

The PowerDMARC Strategy

Our hosted MTA-STS automation forces all email traffic into encrypted TLS 1.2+ pipelines, removing the risk of intercept attacks and keeping high-value banking communication private.

2. Healthcare: High Exposure and Missing Records

Faced with strict regulatory oversight, the French healthcare sector leads the nation in directory integrity but leaves its primary communication channel vulnerable to spoofing.

Metric Status 
SPF 97.1% correct (2.9% incorrect)
DMARC Reject 17.7%
DMARC Policies 25.5% at “quarantine”, 40.2% at “none”
DMARC Gap 12.7% lack DMARC entirely, 3.9% incorrect
MTA-STS 3.9% valid (96.1% lack record)
DNSSEC 32.4% enabled (Sector Leader)
Healthcare-SPF-Adoption---France

Vulnerability Exposure

Healthcare domains are the country’s leaders in DNSSEC adoption (32.4%). However, the sector remains highly vulnerable to domain spoofing, with 40.2% of domains sitting passively at p=none and 12.7% completely unprotected. Attackers can exploit this exposure to forge administrative hospital emails or deliver ransomware payloads.

The PowerDMARC Strategy

We help healthcare providers transition from simple monitoring to active, enforced p=reject policies without blocking legitimate patient-care communications.

3. Government: Strong Foundations but Soft Monitoring

Official state domains show excellent foundational record setup, but a lack of strict enforcement policy leaves room for impersonation.

Metric Status 
SPF 97.2% correct (2.8% incorrect)
DMARC Reject 26.8%
DMARC Policies 22.5% at “quarantine”, 32.4% at “none”, 0.7% incorrect
DMARC Gap 17.6% lack DMARC entirely
MTA-STS 0.7% adoption (99.3% lack record)
DNSSEC 16.9% enabled (83.1% disabled)

Vulnerability Exposure

Almost one-fifth of French public sector domains (17.6%) have no DMARC record, and another 32.4% remain in monitoring-only mode. This lack of enforcement allows cybercriminals to forge public identities, facilitating tax fraud, credential harvesting, or public phishing operations.

The PowerDMARC Strategy

Our multi-tenant architecture allows central government IT departments to manage, monitor, and enforce DMARC across sprawling subdomains from a single dashboard.

4. Education: High Monitoring, Low Actual Defense

Academic networks manage massive volumes of student data and research IP but show a strong preference for monitoring threats rather than stopping them.

Metric Status 
SPF 92.1% correct (7.9% incorrect)
DMARC Reject 11.1%
DMARC Policies 21.2% at “quarantine”, 52.4% at “none”, 1.6% incorrect
DMARC Gap 13.7% lack DMARC entirely
MTA-STS 1.1% adoption (98.9% lack record)
DNSSEC 9.5% enabled (90.5% disabled)

Vulnerability Exposure

France’s education sector has the country’s highest reliance on passive monitoring (p=none at 52.4%). This means more than half of the academic landscape is unprotected against direct domain spoofing, allowing bad actors to use forged university domains to execute phishing campaigns and financial scams.

The PowerDMARC Strategy

Academic networks often exceed the 10-DNS lookup limit due to diverse cloud applications. PowerSPF condenses records dynamically, ensuring all authentic university communications deliver reliably without triggering SPF authentication errors.

5. Energy: Critical Infrastructure Left Vulnerable

French critical energy infrastructure features clean baseline configurations but remains vulnerable to transport-layer interception and domain abuse.

Metric Status 
SPF 97.0% correct (3.0% incorrect)
DMARC Reject 34.2%
DMARC Policies 25.0% at “quarantine”, 27.4% at “none”, 1.2% incorrect
DMARC Gap 12.2% lack DMARC entirely
MTA-STS 3.7% valid (96.3% no record)
DNSSEC 27.4% enabled (72.6% disabled)
Energy-SPF-Adoption---France

Vulnerability Exposure

While the energy sector has implemented a respectable 34.2% p=reject rate, over a quarter (27.4%) of domains remain at p=none. This exposure, combined with a 96.3% lack of MTA-STS, leaves energy suppliers and grid operators vulnerable to spear-phishing campaigns and business email compromise (BEC).

The PowerDMARC Strategy

We unify DMARC enforcement with hosted MTA-STS protocols, validating sender addresses while ensuring inbound messages remain encrypted end-to-end.

6. Media: High Visibility under Passive Configurations

Newsrooms and media networks command high levels of public trust, yet their authentication infrastructure remains vulnerable.

Metric Status 
SPF 96.9% correct (3.1% incorrect)
DMARC Reject 26.5%
DMARC Policies 20.4% at “quarantine”, 38.3% at “none”
DMARC Gap 14.8% lack DMARC entirely
MTA-STS 5.6% valid (Sector Leader)
DNSSEC 14.2% enabled (85.8% disabled)
Media-DMARC-Adoption---France

Vulnerability Exposure

With 38.3% of media domains utilizing passive monitoring and another 14.8% lacking any DMARC protection, attackers can easily forge official news domain names. This makes it simple to spread disinformation, coordinate spear-phishing attacks, or hijack editorial credentials.

The PowerDMARC Strategy

We help media outlets deploy Brand Indicators for Message Identification (BIMI), placing verified corporate logos directly in user inboxes to provide clear, visual proof of sender authenticity.

7. Telecommunications: The “None” Policy Vulnerability

French telecom operators keep highly complex networks running, but struggle with protocol misconfigurations and a lack of active policy enforcement.

Metric Status 
SPF 88.9% correct (11.1% incorrect – Sector Low)
DMARC Reject 22.2%
DMARC Policies 28.9% at “quarantine”, 40.0% at “none”, 2.2% incorrect
DMARC Gap 6.7% lack DMARC entirely
MTA-STS 2.2% adoption (97.8% lack record)
DNSSEC 8.9% enabled (Sector Low)
BIMI Logo

Vulnerability Exposure

Telecom providers show the highest rate of incorrect SPF configurations in the country (11.1%), alongside a 40.0% reliance on passive monitoring (p=none). Attackers can easily take advantage of these misconfigured channels to execute phishing and SMS fraud campaigns that impersonate major carriers.

The PowerDMARC Strategy

We streamline the move to a strict p=reject policy across large carrier networks, stopping threat actors from abusing telecom brands to target subscribers.

8. Transport: Strong Active Enforcement but Low Encryption

Logistics providers depend on fast, automated communications, leading to a healthy rate of active blocking but lacking secure delivery channels.

Metric Status 
SPF 94.5% correct (5.5% incorrect)
DMARC Reject 37.9%
DMARC Policies 18.6% at “quarantine”, 31.1% at “none”, 0.7% incorrect
DMARC Gap 11.7% lack DMARC entirely
MTA-STS 2.8% valid (97.2% no record)
DNSSEC 18.6% enabled (81.4% disabled)

Vulnerability Exposure

While transport domains exhibit a solid 37.9% p=reject rate, a notable 31.1% still remain in monitoring-only mode. In tandem with a 97.2% lack of MTA-STS, malicious actors can target logistics networks to intercept manifests, reroute deliveries, or alter payment instructions.

The PowerDMARC Strategy

We secure B2B logistics channels, verifying inbound shipping orders and automated billing records before they reach client inboxes.

Under the Hood: Four Structural Weaknesses

1. The Passive Monitoring Fallacy: Over-Reliance on p=none

A key vulnerability across France’s digital footprint is the excessive reliance on passive DMARC configurations, with 35.3% of domains nationwide remaining at p=none. While this policy collects diagnostic data and tracks mail streams, it offers zero active protection against domain impersonation.

Expert insight:

“Publishing a DMARC record without an enforcement policy is like installing security cameras but leaving the front door unlocked. A monitoring policy helps you see the threats, but only transitioning to a strict ‘reject’ policy will actually stop cybercriminals from exploiting your brand.”

Maitham Al Lawati, CEO, PowerDMARC

Expert insight:

“Modern SaaS ecosystems make it incredibly easy to hit the SPF lookup ceiling without realizing it. Leveraging automated SPF Flattening is critical to programmatically condensing records, eliminating configuration errors, and preserving deliverability.”

Yunes Tarada, Service Delivery Manager, PowerDMARC

2. SPF Lookup Bottlenecks and Delivery Failures

As French enterprises scale their digital tools, integrating third-party SaaS, CRMs, and payment gateways, their SPF records quickly exceed the authoritative 10-DNS-lookup limit. Crossing this threshold invalidates the protocol, causing legitimate outgoing emails to fail authentication and get routed straight to spam.

3. MTA-STS: The Unencrypted Transport Gap

With 97.4% of French domains lacking MTA-STS protocols, the overwhelming majority of inbound mail traffic relies on opportunistic encryption. This exposure allows attackers to perform Man-in-the-Middle (MiTM) downgrade attacks, stripping away encryption layers to read corporate communications in plaintext.

Expert insight:

“Relying on opportunistic encryption leaves your transit pipeline vulnerable. Without MTA-STS enforcement, a network attacker can easily force email routing down to unencrypted channels. Mandating secure transport channels is a non-negotiable step for data confidentiality.”

Ayan Bhuiya, Operations & Delivery Shift Lead, PowerDMARC

Expert insight:

“If an adversary hijacks your DNS, your entire defense structure crumbles. DNSSEC provides the cryptographic assurance needed to prove that traffic is reaching your authentic servers rather than a malicious lookalike.”

Ahona Rudra, Marketing Manager, PowerDMARC

4. DNSSEC: Core Infrastructure Left Exposed

Only 17.9% of domains in France have DNSSEC enabled, leaving 82.1% of the digital landscape exposed to DNS cache poisoning and malicious redirection. Without cryptographic verification at the domain name server level, attackers can hijack web traffic or spoof mail servers at the foundational routing stage.

Global Benchmarking: France in Context

France demonstrates strong technical discipline regarding basic record setup (such as SPF), but sits in a transitional phase regarding active transport protection and enforcement.

The Global Leaderboard: 2026 Comparative Data

Country SPF Correct DMARC Reject MTA-STS DNSSEC
France 95.6% 28.3% 2.6% 17.9%
Spain 97.0% 18.0% 0.8% 10.4%
Italy 91.0% 16.7% 1.0% 3.5%
Poland 98.9% 21.2% 0.9% 15.7%
Netherlands 70.0% 23.2% 0.9% 37.7%
Brazil 92.1% 20.7% 0.7% 21.9%
Ecuador 96.1% 24.9% 1.4% 4.8%
USA 95.7% 49.0% 1.7% 18.0%
UK 93.7% 44.1% 20.6% 3.8%

France in the Global Spotlight: 2026 Analysis

1
Leading Southern & Central Europe in Enforcement

France’s active defense posture (28.3% Reject) leads regional peers such as Poland (21.2%), Spain (18.0%), and Italy (16.7%). However, there is still a wide gap when compared to highly enforced regions like the USA (49.0%) and the UK (44.1%), where strict policies are standard enterprise practices.

2
A Promising Head Start in MTA-STS

Although 2.6% MTA-STS adoption is low globally, it comfortably outpaces European neighbors like Poland (0.9%), Spain (0.8%), and Italy (1.0%). While France shows early progress, it remains far behind the UK’s impressive 20.6% transport-layer encryption rate.

3
DNSSEC Resilience

France’s DNSSEC adoption rate (17.9%) matches the USA (18.0%) and outpaces regional counterparts like Poland (15.7%), Spain (10.4%), and Italy (3.5%). However, it still has ground to cover to reach the high security standards of the Netherlands (37.7%).

The PowerDMARC Perspective

“France has done the heavy lifting by building a highly commendable technical foundation, particularly through its strong nationwide SPF accuracy. However, stalling at a monitoring-only stage leaves a massive gap in active perimeter defense. French organizations have proven they excel at the initial setup phase; the next logical milestone is to confidently transition from passive observation to absolute, automated p=reject enforcement.”

Conclusion: From Metrics to Action

The 2026 data shows that while France has built a strong technical foundation, its overall defenses remain incomplete. To secure the digital landscape and align with mandates set by providers like La Poste, organizations must prioritize three main steps:

Move Beyond Passive Monitoring

Basic SPF and DMARC configurations are not enough if spoofed emails are still delivered. Moving from monitoring (p=none) to a strict enforcement level (p=reject) via Hosted DMARC ensures unauthorized emails are blocked before they reach the inbox.

Protect Data in Transit

With 97.4% of the country's domains exposed to transport-layer interception, adopting Hosted MTA-STS is critical to ensure that all email traffic is encrypted and secure against tampering.

Ensure Deliverability

Avoid configuration errors and limit issues that can block legitimate corporate emails. Using Hosted SPF keeps email authentication accurate and ensures reliable delivery as your cloud services scale.

Methodology, Research & Data Sources

DNS Record Analysis

Our engineering team ran automated DNS query operations across the target French domain directory. These queries fetched, analyzed, and validated existing SPF, DMARC, MTA-STS, and DNSSEC configurations against RFC-defined specifications to evaluate technical integrity and policy strength.

Sector Sampling

The target domain database was built using official business registries, public listings, and sector directories in France. The studied organizations were divided into eight core national industries:

  • Banking (Financial)
  • Healthcare
  • Government
  • Education
  • Energy
  • Media
  • Telecommunications
  • Transport (Logistics)

Global Benchmarking

Comparative international indexes were compiled using the same DNS-analysis methodologies from PowerDMARC’s global cybersecurity dataset. This allows France's metrics to be directly compared to standardized country indexes from Spain, Italy, Poland, the Netherlands, Brazil, Ecuador, the USA, and the UK.

Risk Classification

Sector-specific vulnerability levels are based on a balanced evaluation of four key security metrics across French domains:

  • The deployment rate of strict p=reject policies.
  • The ratio of domains completely lacking DMARC defenses.
  • The frequency of SPF validation and configuration errors.
  • The level of exposure due to a lack of MTA-STS transport encryption.

Transforming French Domain Visibility into Active Defense

France’s exceptional foundational configuration rates demonstrate that French IT teams possess world-class technical capabilities. The missing piece of the puzzle isn’t skill; it is having the right automated tools and organizational mandate to transition to active enforcement.

Do not let your enterprise domain function merely as a passive observer that records attacks without the power to block them. Secure your brand’s reputation, insulate your organization from the delivery disruptions of La Poste’s recent mail mandate, and protect your critical digital assets before the next major cross-border phishing wave targets your sector.

Reach out to the team at PowerDMARC to seamlessly advance your domain security from basic observation to absolute perimeter defense.