Italy DMARC & MTA-STS Adoption Report 2025

Italy has been recognized as a leader in global cybersecurity readiness, scoring a perfect 100/100 in the ITU’s Global Cybersecurity Index 2024. With a dedicated national CSIRT, strong legislation, and the Italian National Cybersecurity Agency (ACN), the country is positioned as a role model for Europe.

But beneath this strong posture lies a critical weakness: email security.
Italy lost an estimated $66 billion to cybercrime in 2023, much of it fueled by phishing and spoofing attacks. Weak adoption of email authentication protocols (DMARC, SPF, MTA-STS, DNSSEC) continues to expose organizations across healthcare, finance, government, and beyond.

  • This report analyzes 693 Italian domains across 9 key sectors, highlighting where

Book a demo

Report Request - Italy DMARC Adoption

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Name*

At a Glance: Key Findings Across Italy

BIMI Logo

SPF:
91% correct, but 1 in 11 domains risk rejection due to errors.

BIMI Logo

DMARC:
26% of domains have no record, leaving them open to spoofing. Only 16.7% enforce “reject”.

BIMI Logo

MTA-STS:
A shocking 99% of domains lack adoption, leaving email traffic vulnerable to interception.

BIMI Logo

DNSSEC:
Only 3.5% enabled — most domains remain unprotected from DNS hijacking.

Nearly 1 in 4 organizations in Italy cannot prevent attackers from sending fraudulent emails on their behalf.

Sector-by-Sector Analysis

Financial: A Prime Target for Fraud

The financial sector is one of Italy’s most lucrative cybercrime targets. Banks and financial institutions are trusted by millions, which makes spoofed emails highly effective for fraudsters.

BIMI Logo

Adoption Statistics (Finance)

  • SPF: 93.1% correct, but 1 in 14 banks risk email rejection due to errors.

  • DMARC: 41.7% enforce “reject” (strong progress), but 11.1% of banks have no protection at all.

  • MTA-STS: 100% missing — meaning encrypted banking emails can be intercepted.

  • DNSSEC: Only 2.8% enabled.

Why This Matters

Fake bank emails can trick customers into transferring money to fraudulent accounts. Even a single spoofed campaign could result in millions in losses and reputational damage.

Solution Spotlight for Finance

PowerDMARC enables Italian banks to:

  • Rapidly enforce p=reject with zero configuration errors.

  • Gain visibility into fraud attempts with intuitive DMARC reports.

Start 15-day trial

Healthcare: Patient Trust on the Line

Hospitals and clinics handle the most sensitive personal data — yet email authentication here is dangerously low.

BIMI Logo

Adoption Statistics (Healthcare)

  • SPF: 88.5% correct, but 1 in 8 healthcare domains risk rejection of legitimate mail.

  • DMARC: Only 12.8% at “reject.” 1 in 4 healthcare domains lack DMARC entirely.

  • MTA-STS: 98.1% missing, leaving medical emails exposed.

  • DNSSEC: 5.8% enabled.

Why This Matters

A spoofed hospital email asking patients to click a link or pay a bill could compromise not only finances but also patient safety and trust. GDPR fines are also a looming risk.

Solution Spotlight for Healthcare

With PowerDMARC, Italian healthcare agencies can deploy:

  • Hosted DMARC & SPF to prevent fake emails from reaching patients.

  • TLS-RPT & MTA-STS to ensure medical data is encrypted in transit.

Media: Gatekeepers of Public Trust

Media outlets are highly visible and trusted sources of news. Cybercriminals exploit this trust to spread misinformation and phishing campaigns.

BIMI Logo

Adoption Statistics (Media)

  • SPF: 90.1% correct.

  • DMARC: Only 11.3% enforce “reject.” Nearly 1 in 4 outlets lack DMARC.

  • MTA-STS: 100% missing.

  • DNSSEC: 2.8% enabled.

Why This Matters

Fake news emails impersonating Italian media could spread disinformation at scale. The lack of MTA-STS also makes journalists’ communications vulnerable to interception.

Solution Spotlight for Media

  • PowerDMARC helps media organizations defend brand credibility by ensuring only authenticated emails reach audiences through guided DMARC enforcement and MTA-STS adoption.

Government: Strong SPF, Weak Everywhere Else

Government domains should lead by example, but despite strong SPF adoption, DMARC and DNSSEC remain dangerously low.

BIMI Logo

Adoption Statistics (Government)

  • SPF: 96% correct.

  • DMARC: Only 14.4% enforce “reject,” while 1 in 3 domains lack DMARC entirely.

  • MTA-STS: 0% adoption.

  • DNSSEC: 0.8% enabled.

Why This Matters

Citizens are prime targets for fake government notices. Weak adoption risks large-scale fraud, tax scams, and reputational damage for national agencies.

Solution Spotlight for Government

With PowerDMARC, government agencies can:

  • Align with EU email security compliance requirements

  • Protect citizens against phishing campaigns using .gov.it impersonations.

Contact us

Energy: Critical Infrastructure at Risk

Energy providers keep Italy running — but weak email authentication makes them prime targets for nation-state attackers and ransomware groups.

BIMI Logo

Adoption Statistics (Energy)

  • SPF: 94.8% correct.

  • DMARC: 22.1% enforce “reject,” but nearly 1 in 4 lack DMARC

  • MTA-STS: 98.7% missing.

  • DNSSEC: 5.2% enabled.

Why This Matters

Attackers spoofing energy providers could launch supply chain attacks or disrupt services — a direct national security risk.

Solution Spotlight for Energy

  • PowerDMARC ensures strict DMARC enforcement and DNSSEC checks, protecting Italy’s critical infrastructure.

Transport: Vulnerable to Spoofed Tickets and Invoices

From airlines to logistics, transport organizations are exposed due to weak DMARC policies.

BIMI Logo

Adoption Statistics (Transport)

  • SPF: 91.8% correct.

  • DMARC: Only 3.3% at “reject,” while 1 in 3 domains lack DMARC.

  • MTA-STS: 100% missing.

  • DNSSEC: 3.3% enabled.

Why This Matters

Fraudulent airline emails offering fake refunds or invoices can result in financial fraud and customer distrust.

Solution Spotlight for Transport

  • PowerDMARC enables real-time visibility into spoofing attempts, helping airlines and logistics companies build customer confidence.

Education: Universities in the Crosshairs

Universities are frequent phishing targets due to their open networks and large student populations.

BIMI Logo

Adoption Statistics (Education)

  • SPF: 85.8% correct.

  • DMARC: Only 10.2% at “reject.” 1 in 4 universities lack DMARC.

  • MTA-STS: 96% missing.

  • DNSSEC: 2% enabled.

Why This Matters

Phishing campaigns impersonating universities can harvest student credentials, leading to data breaches and identity theft.

Solution Spotlight for Education

  • PowerDMARC provides easy DMARC enforcement even for universities with complex, multi-domain setups.

Telecommunications: Communications at Risk

Telecoms connect millions of Italians every day. Yet weak DMARC adoption exposes customers to impersonation threats.

BIMI Logo

Adoption Statistics (Telecom)

  • SPF: 87.7% correct.

  • DMARC: 17.8% at “reject,” but 30.2% missing.

  • MTA-STS: 98.6% missing.

  • DNSSEC: 4.1% enabled.

Why This Matters

Spoofed telecom emails could trick customers into sharing SIM details or making fraudulent payments, leading to SIM swaps and account takeovers.

Solution Spotlight for Telecom

  • With PowerDMARC, telecom providers can deploy hosted DMARC + MTA-STS to keep customer communications safe.

Other: Diverse Domains, Shared Risks

This sector spans various industries with unique needs, from small businesses to niche organizations. Despite diversity, weak email authentication leaves these domains open to phishing, spoofing, and fraudulent impersonation.

BIMI Logo

Adoption Statistics (Other)

  • SPF: 77.8% correct.

  • DMARC: 33.3% at “reject,” 11.1% missing.

  • MTA-STS: 100% missing.

  • DNSSEC: 0% enabled.

Why This Matters

Without enforced DMARC and MTA-STS, these organizations risk fraudulent emails reaching their customers and partners. This can lead to financial loss, reputational damage, and operational disruption even for small or niche entities.

Solution Spotlight for Other

  • PowerDMARC enables these organizations to deploy hosted DMARC and MTA-STS quickly, securing their email channels and building trust with customers and partners.

Leaders, Laggards, and Lessons: Email Security Across Italy’s Industries

BIMI Logo

SPF: Government Leads, Others
Fall Behind

Government domains in Italy are setting the benchmark for SPF adoption, closely followed by the energy sector. Both show a strong commitment to ensuring that only authorized servers can send emails on their behalf. However, not all sectors are keeping pace. The “Other” category noticeably lags behind, signaling weaker defenses against spoofing attacks.

BIMI Logo

DMARC: Finance Pushes Forward, Government Stays Cautious

Financial organizations, along with domains in the “Other” sector, are the most proactive in deploying DMARC. They not only adopt it widely but also enforce stricter reject policies, showing a strong stance against impersonation. In contrast, government domains appear more hesitant, with many still operating without DMARC, leaving room for attackers to exploit. The transport sector is even more conservative, rarely applying the strongest enforcement.

BIMI Logo

MTA-STS: Education Shows Early Momentum

Across Italy, MTA-STS adoption is still in its infancy. Education stands out as the first mover, with some universities already testing and enforcing the protocol. Telecommunications, healthcare, and energy are gradually catching up, but most other sectors haven’t yet taken
the leap.

BIMI Logo

DNSSEC: A Missed Opportunity in Security

When it comes to DNSSEC, adoption remains strikingly low across all sectors. Healthcare and energy are making small strides, but government domains, and especially the “Other” category, lag far behind. The picture suggests that DNSSEC, despite its importance, is still not a priority for most organizations in Italy.

As we analyzed Italy’s email security landscape, five clear trends emerged: patterns that highlight both progress and persistent gaps. Here’s what stood out:

1. The Illusion of Security: Misconfigured DMARC Records

Trend in action:

Many Italian organizations proudly publish a DMARC record, but it’s often left at a weak “monitoring-only” (p=none) policy. This creates a false sense of security, while spoofed emails continue to slip through.

Real-world example:

An Italian retail chain thought DMARC was protecting them, but attackers still impersonated their brand in phishing campaigns. Their record was present but unenforced.

Expert insight

“A DMARC record at monitoring-only is like locking the door but leaving the window wide open. Real protection comes when enforcement is applied, not just when the record exists.”

Maitham Al Lawati, CEO, PowerDMARC

Expert insight

“SPF is powerful but fragile. Not optimizing SPF properly can backfire, leading to failures in legitimate email delivery. Hosted solutions prevent this pitfall by managing complexity automatically.”

Yunes Tarada, Service Delivery Manager, PowerDMARC

2. SPF Gone Wrong

Trend in action:

While SPF adoption is significantly high among organizations in Italy, fundamental errors like exceeding DNS lookup limits are leading to permanent errors and deliverability issues.

Real-world example:

A financial services firm in Milan faced email delivery failures because their SPF exceeded the 10-lookup limit. Instead of improving security, it harmed their communication flow.

3. BIMI Without the Foundation

Trend in action:

Brands are racing to publish BIMI (Brand Indicators for Message Identification) to showcase their logos in inboxes. But without DMARC enforcement, BIMI simply won’t work.

Real-world example:

An Italian e-commerce company deployed BIMI but didn’t enforce DMARC. Their logo never appeared, frustrating their marketing team and wasting resources.

Expert insight

“We see organizations rushing to the cosmetic appeal of BIMI without building the security foundation first. It’s like hanging the sign before building the store.”

Gegham Hakobyan, Email Security Expert, PowerDMARC

Expert insight

“Cybercriminals always exploit the lowest barrier. If one sector strengthens, they pivot to another. Consistent adoption across industries is the only real defense.”

Ayan Bhuiya, Operations & Delivery Shift Lead, PowerDMARC

4. Inconsistent Adoption Across Sectors

Trend in action:

Some Italian sectors, like finance and government, are moving toward adoption, while SMBs and healthcare lag behind. This creates uneven protection, with attackers targeting the weakest links.

Real-world example:

A government agency mandated DMARC, while local healthcare providers remained exposed, becoming easy prey for ransomware operators posing as trusted domains.

5. Reactive, Not Proactive Security Postures

Trend in action:

Many Italian organizations act only after suffering a phishing or spoofing incident. This reactive mindset keeps businesses trapped in a cycle of damage control.

Real-world example:

A mid-sized law firm only enforced DMARC after a client fell victim to a spoofed email pretending to be their partner.

Expert insight

“Email is still the number one attack vector. Waiting for an incident before acting is no longer an option. Proactive authentication is the key to resilience.”

Maitham Al Lawati, CEO, PowerDMARC

Key takeaway:

These trends aren’t just statistics; they’re signals. Organizations in Italy have the opportunity to shift from illusion to enforcement, from reactive firefighting to proactive resilience.

Italy in Context: Where Does It Stand in Europe’s Email Security Race?

Italy’s journey in email security is a tale of steady progress and persistent gaps. While the country has taken significant strides, especially in SPF and DMARC adoption, there is still a clear path to becoming a European leader in domain protection.

Picture Europe’s email security landscape as a relay race:

BIMI Logo

The UK started early, with government guidelines on DMARC issued as far back as 2012. As of 2020, 28% of gov.uk domains had DMARC enabled, and more than half of those remained at a “none” policy, offering little real protection.

BIMI Logo

Germany, despite being in the top 5 globally for DMARC adoption, still sees many of its domains unprotected. Local ISPs hint at a potential future increase, which could raise
adoption to 75%.

BIMI Logo

The Netherlands demonstrates promising progress in the government and education sectors; however, 41.5% of all domains still lack a DMARC record, and MTA-STS adoption remains negligible at just 0.9%.

BIMI Logo

Switzerland faces a growing threat from phishing and cybercrime, with over 55% of analyzed domains lacking DMARC, and 89% without MTA-STS, leaving key sectors like education, media, and transport highly vulnerable.

BIMI Logo

Sweden, a more recent benchmark, demonstrates strong DMARC adoption at 77.9%, yet only a tiny fraction (2.9%) has MTA-STS implemented, revealing a persistent gap in email transport security.

Against this backdrop, Italy’s position is encouraging but nuanced. SPF adoption is strong at 91%, while DMARC enforcement is emerging with 16.7% of domains set to “reject.” MTA-STS, however, is practically absent at 0.7%, and DNSSEC adoption is very low at 3.5%.

What this means in practice: Italy’s finance and government sectors are leading the pack, showing an early recognition of the risks posed by phishing and spoofing. Meanwhile, sectors like transport, healthcare, and media remain exposed, presenting a landscape where attackers are likely to target the weakest links.

PowerDMARC Perspective:

“Italy has the foundations in place to lead in email security. The key is shifting from presence to enforcement, turning DMARC and SPF records from checkboxes into active shields. Sectors with gaps, like transport and healthcare, can rapidly close the gap with the right tools and guidance.”

secure email powerdmarcHow Can PowerDMARC Help

PowerDMARC provides the fastest path to DMARC enforcement, MTA-STS adoption, and DNSSEC validation, helping Italian organizations protect citizens, customers, and businesses from the email threats that matter most.

Contact us at [email protected] or book a 1:1 session with our experts to safeguard your domain today.

Start 15-day trial Book a demo