Date of analysis: 01/03/2025

Morocco DMARC & MTA-STS Adoption Report 2025

According to the African Cyber Threat Assessment Report of 2022 published by Interpol, Morocco is the most affected African country when it comes to banking trojans and stealer malware. As many as 18,827 attacks were detected in 2022. In the following year, many of the websites of the Moroccan News Agency (Maghreb Arab Press – MAP) were targeted by a Distributed Denial of Service (DDoS) attack.

This report aims to examine the cybersecurity gaps that make Morocco a frequent target of cyberattacks. We will mainly focus on analyzing the adoption levels of DMARC, SPF, MTA-STS, and DNSSEC email authentication protocols. Based on the analysis, we will identify existing security gaps and provide recommendations on how to best enhance the cybersecurity landscape in Morocco.

Download PDF Book a Demo

Assessing the Threat Landscape

PowerDMARC’s Morocco DMARC and MTA-STS Adoption Report 2025 will cover the following key issues:

  • Are there any variations in MTA-STS adoption based on the sector?

  • Do Moroccan domains enable DNSSEC?

  • Are some sectors more exposed and vulnerable to cyberattacks than others?

  • What are the steps that Morocco should follow to enhance digital security in the country?

Sectors Analyzed 

Total domains analyzed: 307

  • Agriculture

  • Automotive

  • Banking

  • Chemicals

  • Construction

  • Cosmetics

  • Education

What Do the Numbers Say?

Morocco SPF Adoption Analysis

Morocco DMARC Adoption Analysis

Morocco MTA-STS Adoption Analysis

Morocco DNSSEC Adoption Analysis

Key Findings

  • 71.34% of domains have correctly implemented SPF records.
  • 36.48% of domains have correctly implemented DMARC.
  • Only 7.49% have implemented a “Reject” policy, which offers the strongest protection.
  • 0% of domains have valid MTA-STS records.
  • 100% of domains have not implemented MTA-STS.
  • 98.70% of domains have not implemented DNSSEC.

Education

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • SPF correct implementation is at 70.59%.
  • Only 41.18% of domains have correctly implemented DMARC.
  • A significant number (58.82%) lack any DMARC record.

Equipment and Supplies

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • SPF correct implementation stands at 75%.
  • 50% of domains have correctly implemented DMARC.
  • Half (50%) have a DMARC policy set to “None.”

Finance

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • Demonstrates strong SPF adoption with 83.33% correct implementation.
  • Correctly implemented DMARC is at 50%.
  • A notable percentage (33.33%) has a DMARC policy set to “None.”

Food and Beverages

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • SPF correct implementation is at 66.67%.
  • Only one-third (33.33%) of domains have correctly implemented DMARC.
  • A significant number (66.67%) lack any DMARC record.

Furniture

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • Shows an SPF correct implementation rate of 57.14%.
  • Only 14.29% have correctly implemented DMARC.
  • A high percentage (85.71%) lack any DMARC record.

Goods

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • SPF correct implementation stands at 75%.
  • Correctly implemented DMARC is at 33.33%.
  • A significant number (66.67%) lack any DMARC record.

Government

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • Demonstrates good SPF adoption with 77.19% correct implementation.
  • Correctly implemented DMARC is at 38.60%.
  • A notable portion (57.89%) lacks any DMARC record.

Healthcare

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • Shows a SPF correct implementation rate of 74.07%.
  • Only one-third (33.33%) have correctly implemented DMARC.
  • A significant number (66.67%) lack any DMARC record.

Insurance

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • Demonstrates strong SPF adoption with an impressive rate of 88.89%.
  • Correctly implemented DMARC is at 66.67%.
  • A notable portion (33.33%) lacks any DMARC record.

Logistics

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • SPF correct implementation stands at 75%.
  • Correctly implemented DMARC is at 37.50%.
  • A significant number (62.50%) lack any DMARC record.

Pharmaceutical

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • Shows a SPF correct implementation rate of 62.50%.
  • Only one-eighth (12.50%) have correctly implemented DMARC.
  • A high percentage (87.50%) lack any DMARC record.

Real Estate

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • SPF correct implementation is at 54.55%.
  • Correctly implemented DMARC stands at 36.36%.
  • A significant number (54.55%) lack any DMARC record.

Telecomunnications

SPF Adoption Analysis

BIMI Logo

DMARC Adoption Analysis

BIMI Logo

MTA-STS Adoption Analysis

BIMI Logo

DNSSEC Adoption Analysis

BIMI Logo

Key Findings

  • Demonstrates moderate SPF adoption with a rate of 58.82%.
  • Only 17.65% have correctly implemented DMARC.
  • The majority (82.35%) do not implement any form of DMARC protection.

Comparative Analysis Among Different Sectors

Comparative Analysis of SPF Adoption among Different Sectors in Morocco

BIMI Logo

Key Findings

The highest rate of SPF adoption was observed in the Insurance sector (88.89%). The lowest SPF adoption rate was observed in the Real Estate sector at 54.55%, followed by the Automotive sector at 55.56%.

Comparative Analysis of DMARC Adoption among Different Sectors in Morocco

BIMI Logo

Key Findings

DMARC adoption was noted to be the highest in the Insurance sector at 66.67%. The Pharmaceutical sector was behind with the lowest DMARC adoption rate of 12.50%. The Insurance sector leads in implementing the strictest DMARC policy (“reject”) at 11.11%. Several sectors, including Banking, Construction, Cosmetics, Education, Equipment and Supplies, Food and Beverages, Furniture, and pharmaceuticals, have no domains implementing a “reject” policy – offering zero protection against email threats.

Comparative Analysis of MTA-STS Adoption among Different Sectors in Morocco

BIMI Logo

Key Findings

MTA-STS adoption is nonexistent across all sectors in Morocco.

Comparative Analysis of DNSSEC Adoption among Different Sectors in Morocco

Key Findings

DNSSEC adoption is very low across all sectors. The Real Estate sector shows the highest level of adoption at 9.09%, followed by the healthcare sector at 7.41%.

DMARC & MTA-STS Adoption Rates: Key Statistics for Morocco

  • 71.34% of domains have correctly configured SPF records, while 26.06% of domains lack any SPF record.

  • 36.48% of domains have correctly configured DMARC records. But an alarming 62.21% of domains do not implement DMARC at all.

  • Among the domains that do have DMARC implemented, the policy distribution is as follows:

    • 22.80% of domains have a policy set to “none” which provides minimal protection.
    • 6.19% use a quarantine policy, which offers intermediate protection.
    • Only 7.49% have a reject policy, which provides maximum protection against email-based attacks.

  • The adoption of MTA-STS is non-existent, with no domains having enabled this security protocol. 

  • The implementation of DNSSEC is also very limited. As many as 98.70% of domains have it disabled.

Critical Errors Organizations in Morocco Are Making

  • SPF-Related Errors

    Even though SPF rates among the 20 Moroccan sectors were rather high, quite a few of the domains still do not have any SPF record. Additionally, those who do have SPF records configured still make some common mistakes, such as:

    • Their SPF records surpass the 10 DNS lookup limit
    • SPF records do not comply with the void limits 
    • Their SPF records contain syntax errors 
    • They make errors related to configuration and setup.

  • Prevalence of Permissive DMARC Policies

    Very few of the Moroccan domains have correctly configured DMARC records. What’s worse, the majority of the domains that have correct DMARC records have their policy set to “None,” which offers only the lowest level of protection against cyber attacks.  

  • A Concerning Situation with MTA-STS

    All sectors in Morocco have 0% MTA-STS adoption. MTA-STS is a crucial security standard that helps ensure the safe and secure transmission of your emails over an encrypted SMTP connection. The lack thereof can thus put the domains at a major security risk against downgrade attacks, Man-In-The-Middle attacks (MITM), SMTP security problems, etc.

  • Very Low DNSSEC Adoption

    DNSSEC adoption rates are also extremely low across all Moroccan domains, making them an attractive and easy-to-reach target for DNS spoofing attacks.

How Can Organizations in Morocco Improve Email Security & Deliverability?

  • A prevalent mistake made by individuals working in various sectors in Morocco involves keeping a permissive DMARC policy (i.e., “none”), which makes them vulnerable to spoofing and BEC attempts. It is important to make use of stricter policies (e.g., p=reject or p=quarantine) to ensure stronger domain security. The shift toward stricter policies can and should be gradual to prevent disruptions in email deliverability. 

  • Companies should make regular software updates to ensure that the crucial systems in the country are always updated with security patches and can thereby stand strong against the ever-evolving cyberattacks.

  • Many of the domains in Morocco still lack SPF and especially DMARC records, which makes them vulnerable to spoofing and phishing attacks. The lack of such records may also result in issues related to compliance as well as email deliverability problems for Gmail and Yahoo senders. Note that under PCI DSS 4.0, DMARC compliance is now a recommended practice for businesses that handle or process card payments. 

  • As MTA-STS and TLS-RPT records are completely lacking across the analyzed Moroccan domains, it is essential to pay attention to these major security gaps to ensure inbound mail protection and prevent eavesdropping.

  • Moroccan domains should also:

    • Comply with the 10 DNS lookup limit rule for SPF
    • Eliminate any errors in SPF and DMARC records by using online DNS record generation tools
    • Avoid configuring multiple SPF/DMARC records per domain
    • Make use of advanced security protocols like BIMI that can be useful for increasing brand recall and recognition

PowerDMARC provides worldwide businesses with full-stack, high-quality email authentication SaaS services. The platform combines DMARC, SPF, DKIM, BIMI, MTA-STS, and TLS-RPT solutions in one easy-to-access suite of services, ensuring you can find all you need in one comprehensive platform. Our talented and professional team of cybersecurity specialists aims to help MSPs, MSSPs, various organizations, and state entities prevent email-based cyberattacks well before they would reach your digital doorstep!

If you are searching for expert advice and guidance to best configure and set up email authentication protocols with no manual input required from your side, then PowerDMARC is what you need! 

 

Contact the PowerDMARC team today at [email protected] and easily book a 1:1 platform demo in a matter of seconds. One smart decision and a whole era of enhanced security is awaiting you! 

secure email powerdmarcReady to prevent brand abuse, scams and gain full insight on your email channel?

Start 15-day trial Book a demo