Germany DMARC & MTA-STS Adoption Report 2025

In Germany, the average cost of each cyberattack reaches 16,000 euros. While it is lower than the cost in the previous years, it is still a huge amount of money for companies to cover. As a result, in 2024, nearly 38% of companies in Germany had to sacrifice around 10-20% of their IT budget for IT security. 

The German government officially designates its banking, health, and transport sectors as ‘Critical Infrastructures’ essential for national stability. However, our 2025 analysis reveals that these same sectors are dangerously unprotected against sophisticated email fraud and espionage.

This PowerDMARC report analyzes 600+ domains across seven key sectors, revealing a landscape where foundational authentication is strong, but enforcement and encryption remain dangerously underdeveloped.

Report Request - Germany DMARC Adoption

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Name*

Germany’s Email Security Posture: 2025 Metrics

Germany has a strong foundation of SPF, but the critical layers of DMARC enforcement and MTA-STS adoption lag far behind, which leaves the country exposed to sophisticated email attacks.

DMARC-Germany
BIMI Logo
MetricAdoption RateKey Finding
SPF Correctness96.8%A very strong baseline for email authentication.
DMARC Presence67.2%A good start, but a major gap remains.
No DMARC Record32.3%Nearly 1 in 3 organizations is wide open to impersonation.
DMARC Enforcement (p=reject)17.5%CRITICAL: The vast majority are not actively blocking fraud.
MTA-STS Adoption2.6%CRITICAL: Email traffic is almost universally unencrypted in transit.
DNSSEC Adoption13.0%A widespread vulnerability to DNS hijacking.

The Bottom Line:

In Germany, over 1 in 3 organizations lack any DMARC policy. Of those that have a policy, more than 80% are not using it for enforcement. This signals a severe, immediate risk of financial loss, data breaches, and a catastrophic erosion of public trust.

Start 15-day trial

Sector-by-Sector Breakdown: Unmasking Risks and Opportunities

Banking Sector: Leading the Charge, But Still Exposed

Germany’s banking sector sets the pace for email security, but critical gaps remain in a sector where trust is paramount.

Banking Sector Metric Adoption Rate
SPF Correctness 93.2%
DMARC Enforcement (p=reject) 39.0%
No DMARC Record 6.7%
MTA-STS Adoption 0%
DNSSEC Adoption 3.4%
banking-sector-(DMARC)

Risk Analysis:

Despite leading in DMARC enforcement, the 0% adoption of MTA-STS and low DNSSEC is a major vulnerability. Sensitive financial communications are exposed to interception and DNS hijacking, creating a loophole for sophisticated phishing attacks that can impersonate trusted banks.

Example:

A high-net-worth client emails their banker about a large wire transfer. An attacker intercepts this unencrypted email, alters the receiving bank details in a reply, and steals the funds.

Government Sector: Strong Foundations, Major Enforcement Gaps

Government domains show a commitment to basic authentication, but enforcement is alarmingly weak.

Government Sector Metric Adoption Rate
SPF Correctness 98.3%
DMARC Enforcement (p=reject) 12.5%
No DMARC Record 42.7%
MTA-STS Adoption 1.7%
DNSSEC Adoption 20.7%
Government-Sector-(SPF)

Risk Analysis:

With over 40% of government domains lacking DMARC and only 12.5% enforcing it, impersonating government agencies is alarmingly easy. This enables a wide range of tax scams, social engineering campaigns, and disinformation attacks against citizens.

Example:

Citizens receive a fraudulent email from a spoofed tax office domain (e.g., [email protected]) demanding immediate payment for a “missed tax” to avoid legal action.

Healthcare Sector: Patient Trust on a Precarious Edge

The healthcare sector’s email security posture is lagging, creating unacceptable risks to patient data and trust.

Healthcare Sector Metric Adoption Rate
SPF Correctness 97.7%
DMARC Enforcement (p=reject) 9.3%
No DMARC Record 53.4%
MTA-STS Adoption 2.3%
DNSSEC Adoption 7.0%
Healthcare-Sector-MTA-STS

Risk Analysis:

This is a crisis point. Over half of healthcare domains lack DMARC, and less than 10% enforce it. This exposes patients to phishing campaigns that can steal sensitive health information, commit insurance fraud, and damage the reputation of trusted health providers.

Example:

Patients receive a fake “Test Results Ready” email from their hospital’s spoofed domain (e.g., [email protected]). The link steals their patient portal login, which compromises their sensitive personal health information.

Book a demo

Media Sector: The Frontline Against Disinformation

Media outlets are a primary target for impersonation and disinformation, yet their defenses are not robust enough.

Media Sector Metric Adoption Rate
SPF Correctness 91.0%
DMARC Enforcement (p=reject) 17.9%
No DMARC Record 17.9%
MTA-STS Adoption 0%
DNSSEC Adoption 11.5%

Risk Analysis:

With less than 18% of media organizations enforcing DMARC and zero MTA-STS adoption, bad actors have a fertile ground to distribute fake news, conduct phishing campaigns against journalists, and impersonate trusted news brands to defraud the public.

Example:

A journalist receives a spoofed email from a “confidential source” (or even their editor) with a “top-secret” document, which is actually spyware designed to compromise the entire newsroom.

Transport Sector: Exposed to Fraud and Disruption

Transport and logistics organizations are highly susceptible to invoice fraud and customer scams due to their complex supply chains.

Transport Sector Metric Adoption Rate
SPF Correctness 96.1%
DMARC Enforcement (p=reject) 18.2%
No DMARC Record 33.7%
MTA-STS Adoption 5.2%
DNSSEC Adoption 10.4%
Transport-Sector-DMARC

Risk Analysis:

Over a third of transport domains lack DMARC, and only 18.2% enforce it. This creates a high-risk environment for invoice and payment redirection fraud, which can cost millions and severely disrupt operations.

Example:

An attacker impersonates a port authority and sends a fraudulent “Updated Mooring Fees” invoice to a shipping line, which causes a six-figure payment to be misdirected.

Education Sector: A Prime Target for Credential Theft

Universities and educational institutions are prime targets for cyberattacks, yet their defenses are among the weakest.

Education Sector Metric Adoption Rate
SPF Correctness 98.8%
DMARC Enforcement (p=reject) 8.2%
No DMARC Record 31.8%
MTA-STS Adoption 3.5%
DNSSEC Adoption 8.2%
BIMI Logo

Risk Analysis:

With less than 10% enforcement, education domains are wide open. This makes them exceptionally vulnerable to credential harvesting campaigns targeting students and faculty, leading to the theft of valuable research and personal data.

Example:

Attackers use these stolen credentials to access and steal valuable, unpublished academic research, which is then sold to competitors or foreign entities.

Start 15-day trial

Telecommunications Sector: Protecting Customers and Core Services

As critical infrastructure, telecom providers are a high-value target, but their email security posture has significant room for improvement.

Telecommunications Sector Metric Adoption Rate
SPF Correctness 98.7%
DMARC Enforcement (p=reject) 30.4%
No DMARC Record 21.5%
MTA-STS Adoption 6.3%
DNSSEC Adoption 8.9%

Risk Analysis:

While enforcement is better than average, over 20% of telecom providers still lack DMARC. This exposes millions of subscribers to sophisticated scams (e.g., fake bills, account update requests) that impersonate their trusted provider.

Example:

A customer receives a fake “SIM Update Required” email from their provider. This tricks them into giving up information that allows the attacker to perform a SIM-swap attack, taking over their phone number to bypass 2-factor authentication for their bank accounts.

Benchmarking: Where Does Germany Stand?

Germany leads in basic SPF adoption but falls behind its European peers in the two most important areas: DMARC enforcement and DNSSEC adoption.

CountrySPF CorrectnessDMARC Enforcement (p=reject)MTA-STS AdoptionDNSSEC Adoption
Germany
Germany		96.8%17.5%2.6%13.0%

Belgium		90.1%24.7%2.1%21.4%

Netherlands		70.0%23.2%0.9%37.7%

Sweden		85.0%29.7%2.9%25.9%

Norway		85.2%29.0%4.4%45.6%

Italy		91.0%16.7%1.0%3.5%

1. The False Shield of Partial DMARC

Many German organizations have a DMARC record set to p=none (monitoring only). While this is an important first step for visibility, it offers zero protection. Attackers know this and actively target domains that have not progressed to p=quarantine or p=reject. A p=none policy is an open door for attackers.

2. The Fragility of SPF

High SPF adoption masks an underlying complexity. SPF records are limited to 10 DNS lookups. As organizations adopt more third-party services (e.g., marketing, HR, payment platforms), this limit is easily exceeded. This “permerror” causes the SPF record to fail validation and leaves the domain unprotected despite having an SPF record.

3. MTA-STS: The Unseen Shield

At just 2.6% adoption, MTA-STS is Germany’s most significant blind spot. If SPF and DMARC are the passport check for an email, MTA-STS is the armored vehicle that protects it during transit. Without it, emails are sent in plain text, allowing attackers to intercept, read, and alter communications between mail servers (a “man-in-the-middle” attack).

4. DNSSEC: The Forgotten Foundation

Low DNSSEC adoption (13%) is a foundational weakness. DNS is the internet’s phonebook. Without DNSSEC, attackers can execute DNS hijacking and “cache poisoning” attacks, where they corrupt this phonebook to redirect users from a legitimate, secure domain to a malicious, identical-looking one to steal credentials or data.

Conclusion: From Awareness to Action

Germany stands at a critical turning point. The widespread awareness of DMARC and strong foundational SPF adoption provides an excellent launchpad. However, awareness is not protection.

The journey must now shift decisively from monitoring to enforcement and from authentication to encryption. The risks of inaction are clear: financial losses from business email compromise, erosion of customer trust due to phishing, operational disruption from ransomware, and non-compliance with data protection regulations. The next vital steps for securing Germany’s email trust fabric are the widespread deployment of MTA-STS and a renewed focus on DNSSEC.

PowerDMARC is the Best DMARC Solution in Germany

PowerDMARC offers a fully integrated platform that empowers German organizations to bridge the gap between awareness and true email resilience. We provide the fastest, most reliable path to DMARC enforcement, MTA-STS adoption, and DNSSEC validation. Our managed solutions eliminate complexity, provide real-time threat intelligence, and secure your email channels end-to-end.

Don’t wait for an attack to prove the need for enforcement. Contact [email protected] or book a one-on-one session with our experts today to build a resilient email security future for your organization.

Start 15-day trial Book a demo