Peru DMARC & MTA-STS Adoption Report 2025

In 2021, Peru’s Public Prosecutor’s Office reported an almost 93% increase in cybercrime cases compared to the previous year, among which phishing and ransomware were the most common attack methods. This has not gone unnoticed by authorities. In September 2024, the International Monetary Fund (IMF) began advising Peru’s financial authorities on the development of a national cybersecurity strategy, signaling the urgency of the issue at a national level.

This report provides a technical analysis of the email and domain security posture across Peru’s key sectors. It examines configuration weaknesses and common security gaps that leave organizations vulnerable to the types of breaches that are now making headlines.

Report Request - Peru DMARC Adoption

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Name*

Peru Email Security Metrics at a Glance

An analysis of domains in the top Peruvian sectors reveals a troubling paradox. While awareness of basic email security protocols is relatively high, the implementation of measures that actively block threats is alarmingly low.

Peru SPF

SPF

A solid 86.1% of domains have correctly implemented SPF records. However, this means nearly 1 in 7 organizations still struggle with misconfigurations or missing records, risking the rejection of legitimate emails and creating authentication loopholes for attackers to exploit.

DMARC

While 66.0% of domains have published a DMARC record, this figure masks a critical weakness. 33.0% of domains have no DMARC record at all, rendering them defenseless against direct domain spoofing.

DMARC Enforcement

This is Peru’s most significant vulnerability. Only 17.9% of domains enforce a p=reject policy. This means over 82% of organizations with DMARC are using it in a monitoring-only mode (p=none), which does not keep fraudulent emails away from target inboxes.

Peru MTA-STS

MTA-STS

With an adoption rate of a mere 0.6%, the email transport layer is almost entirely insecure. This exposes nearly all of the analyzed domains’ email traffic to Man-in-the-Middle (MITM) and downgrade attacks, where sensitive communications can be intercepted and read in transit.

BIMI Logo

DNSSEC

At only 4.6% adoption, the vast majority of Peruvian domains are vulnerable to DNS cache poisoning and hijacking. This allows attackers to redirect users to malicious sites.

Start 15-day trial

Sector-by-Sector Analysis: Uncovering Important Risks

Healthcare: Patient Data on the Line

The healthcare sector’s lack of adoption of security standards is a direct threat to patient privacy and safety. Highly sensitive data is at risk.

Security Metric Adoption Rate
SPF Correct 58.3%
DMARC Enforced (p=reject) 20.8%
No DMARC Record 37.5%
MTA-STS Adoption 4.2%
DNSSEC Adoption 8.3%

Nearly 4 in 10 healthcare organizations lack any DMARC protection, which is a huge oversight for a sector that handles Protected Health Information. This deficiency was exploited in 2023 when hackers targeted a major hospital in Lima in a phishing campaign. They impersonated the hospital’s email domain and sent fraudulent invoices to patients.

Why This Matters:

A single breach can expose sensitive patient diagnoses, treatment plans, and financial details. This not only leads to reputation damage and fines but also puts patient well-being at risk by disrupting care and spreading medical misinformation.

PowerDMARC Solution:

We provide healthcare providers a clear, phased path to full DMARC enforcement (p=reject), which helps protect them from impersonation attacks. Our hosted MTA-STS and TLS-RPT solutions secure communication channels for patient information, which helps organizations achieve compliance with data protection regulations and rebuild patient trust.

Financial Services: Defending Digital Trust

As the backbone of the economy, the financial sector is a primary target for high-stakes fraud. The current security posture reveals an alarming disconnect between the value of the assets protected and the strength of the defenses in place.

Security Metric Adoption Rate
SPF Correct 84.4%
DMARC Enforced (p=reject) 18.8%
No DMARC Record 25.0%
MTA-STS Adoption 0%
DNSSEC Adoption 9.4%

With 1 in 4 financial institutions lacking DMARC and a complete absence of MTA-STS, Peruvian banks, insurers, and fintech companies are acutely exposed. This gap enables devastating Business Email Compromise (BEC) attacks. In a recent incident, attackers spoofed a commercial bank’s domain to send wire transfer requests to corporate clients, successfully diverting hundreds of thousands of dollars before the fraud was detected.

Why This Matters:

Trust is the currency of the financial world. Every successful phishing attack erodes customer confidence and trust. With no email authentication in place, the sector remains vulnerable to invoice fraud and credential theft.

PowerDMARC Solution:

Our platform offers a streamlined path to strict DMARC enforcement. By deploying hosted MTA-STS, we eliminate the risk of in-transit email interception, a non-negotiable requirement for safeguarding financial transactions and maintaining customer loyalty.

Government: Progress Undermined by Enforcement Gaps

Government agencies are rapidly digitizing public services. While SPF adoption is strong, the failure to enforce DMARC creates a dangerous trust deficit.

Security Metric Adoption Rate
SPF Correct 94.3%
DMARC Enforced (p=reject) 26.1%
No DMARC Record 30.7%
MTA-STS Adoption 0%
DNSSEC Adoption 2.3%

Even though the government sector leads in SPF implementation, nearly a third of government domains have no DMARC record, and only a quarter actively block fraudulent emails. This allows hackers to impersonate tax authorities, social security agencies, and other public bodies to obtain sensitive citizen data or commit fraud.

Why This Matters:

When citizens cannot trust an email from a government agency, the whole framework of digital public services is at risk. Secure email is of great importance to national security and the successful rollout of e-government initiatives.

PowerDMARC Solution:

We help government entities safely achieve compliance with emerging email security mandates. Our platform fast-tracks DMARC enforcement to p=reject and simplifies the deployment of DNSSEC, building a resilient and trustworthy email infrastructure for public-sector domains.

Book a demo

Telecommunications: Gatekeepers with Open Doors

As the gatekeepers of national connectivity, telecom providers hold the keys to both personal and corporate communications. Their alarmingly low adoption of DMARC places millions of Peruvians at risk.

Security Metric Adoption Rate
SPF Correct 91.0%
DMARC Enforced (p=reject) 9.0%
No DMARC Record 43.3%
MTA-STS Adoption 0%
DNSSEC Adoption 1.5%

The telecommunications sector has the highest percentage of domains lacking a DMARC record among all sectors analyzed. Plus, the lowest rate of DMARC enforcement (a mere 9.0%), and this sector becomes a great target for attacks like SIM swap fraud, fraudulent billing notifications, and phishing campaigns.

Why This Matters:

A compromised telecom identity can ruin a person’s entire digital life. Attackers who impersonate a telecom provider can intercept security codes, take over accounts, and orchestrate widespread identity theft.

PowerDMARC Solution:

Our hosted DMARC and MTA-STS solutions are designed for the scale and complexity of telecom enterprises. We empower providers to close these dangerous security gaps, protect subscriber accounts from takeover, and secure their brand reputation as trusted communicators.

Transport & Logistics: Exposed to Supply Chain Disruption

The transport sector, which forms the physical backbone of the economy, is highly vulnerable to financial fraud and operational disruption due to its poor email security posture.

Security Metric Adoption Rate
SPF Correct 80.0%
DMARC Enforced (p=reject) 13.3%
No DMARC Record 35.6%
MTA-STS Adoption 0%
DNSSEC Adoption 2.2%

With over a third of domains lacking any DMARC record and a complete absence of in-transit email encryption (MTA-STS), logistics and transport firms are prime targets for invoice fraud and shipment scams. Hackers can impersonate these companies and send fake payment requests to clients or redirect valuable shipments.

Why This Matters:

A successful attack in this sector doesn’t just result in financial loss; it can disrupt entire logistics chains; the result is costly delays, damaged business partnerships, and a loss of customer confidence.

PowerDMARC Solution:

Our platform provides guided DMARC enforcement to block fraudulent invoices and communications. By helping deploy MTA-STS, we secure important operational messages between suppliers, carriers, and customers.

Miscellaneous: A Diverse Group with Common Vulnerabilities

This category includes several organizations not classified in other sectors, from retail to consulting. Even though these are diverse and different categories, they share a common and dangerous lack of email security maturity.

Security Metric Adoption Rate
SPF Correct 88.9%
DMARC Enforced (p=reject) 11.1%
No DMARC Record 55.6%
MTA-STS Adoption 0%
DNSSEC Adoption 11.1%
BIMI Logo

This sector has the highest rate of domains with no DMARC record (over 55%), making them exceptionally easy to impersonate. With minimal DMARC enforcement and a total lack of MTA-STS, these businesses are exposed to a broad spectrum of attacks, including invoice fraud, CEO fraud, and phishing campaigns targeting their employees and customers.

Why This Matters:

For small and medium-sized businesses that often make up this sector, a single successful cyberattack can be an extinction-level event. The financial and reputational damage from a breach can be very hard to recover from.

PowerDMARC Solution:

Our platform offers scalable and affordable email security solutions tailored for businesses of all sizes. We provide a clear path to DMARC enforcement and transport layer security, allowing even the smallest organizations to achieve an enterprise-grade security posture.

Start 15-day trial

Education: A Soft Target for Credential Theft

Educational institutions, which manage large amounts of personal data and valuable research, are often seen as soft targets by cybercriminals.

Security Metric Adoption Rate
SPF Correct 84.7%
DMARC Enforced (p=reject) 18.7%
No DMARC Record 22.0%
MTA-STS Adoption 1.7%
DNSSEC Adoption 8.5%

DMARC enforcement is very low, and there is almost no transport-layer encryption. This means universities and schools expose students, faculty, and staff to credential harvesting campaigns. Phishing emails that impersonate university IT departments or academic portals are commonly used to steal login credentials; these give hackers access to sensitive research data, student records, and internal systems.

Why This Matters:

A breach in the education sector puts intellectual property at risk, compromises student privacy, and can damage an institution’s academic reputation. Successful attacks can disrupt learning, compromise research integrity, and expose a large community to even more cyber threats.

PowerDMARC Solution:

Our comprehensive platform is designed to manage complex email environments with scalable DMARC and MTA-STS solutions. We help educational institutions protect their digital campus, secure their research data, and safeguard the privacy of their students and staff from breaches.

Expert Insights

Here is what the experts at PowerDMARC have to say:

“Our analysis highlights that while awareness of email authentication protocols is growing in Peru, many organizations are still in the early stages of enforcement. Strengthening DMARC implementation and adopting transport-layer security can significantly enhance trust and protection across sectors. At PowerDMARC, we support organizations in taking these important steps, seamlessly.”

Maitham Al Lawati, CEO, PowerDMARC

“Securing email requires a multi-layered approach, from DMARC enforcement to MTA-STS adoption and ongoing SPF optimization. Our aim has always been to provide clear guidance and automated tools to help organizations simplify email security management, without adding operational complexity.”

Yunes Tarada, Service Delivery Manager, PowerDMARC

Benchmarking: Europe From a Peruvian Perspective

When benchmarked against several European nations, Peru’s email security landscape reveals a troubling paradox. On one hand, Peru demonstrates a strong foundation in basic email authentication, with an SPF correctness rate (86.1%) that is on par with, and even surpasses, some of its European counterparts like Sweden and Norway.

However, this initial strength masks important vulnerabilities in the more advanced, active security layers, where Peru lags a lot. While its DMARC enforcement rate (17.9%) is similar to Italy’s, it falls well behind the levels seen in Belgium and the Nordic countries. The divergence is most stark in transport-layer security (MTA-STS at 0.6%) and domain integrity (DNSSEC at 4.6%), where Peru’s near-nonexistent adoption rates stand in sharp contrast to the more robust protections being implemented across Europe. This gap highlights a major risk: while Peru has awareness of email security, its lack of enforcement leaves it far more exposed to attack than its European peers.

CountrySPF CorrectnessDMARC Enforcement (p=reject)MTA-STS AdoptionDNSSEC Adoption

Belgium		90.1%24.7%2.1%21.4%

Netherlands		70.0%23.2%0.9%37.7%

Sweden		85.0%29.7%2.9%25.9%

Norway		85.2%29.0%4.4%45.6%

Italy		91.0%16.7%1.0%3.5%

Peru		86.1%17.9%0.6%4.6%

Four Common Mistakes Hindering Peru’s Email Security

There are four important mistakes that are pretty common across different sectors in Peru.

1. Mistaking Monitoring for Protection

The single most widespread mistake is implementing DMARC in a monitoring-only mode (p=none). Over 82% of organizations with DMARC are not using it to block threats. Even though this policy does provide visibility into who is sending email on your behalf, it does not stop a malicious email from reaching the primary inbox. That’s why hackers like p=none so much, as they can do whatever they want freely while the organization remains a spectator.

2. Ignoring Data in Transit: The Forgotten Layer

The near-total absence of MTA-STS adoption (99.4% of domains have no protection) is a huge oversight. Without it, email communications can be forced over unencrypted channels; this allows attackers to intercept, read, and alter sensitive information in transit. This is very dangerous for sectors like finance, healthcare, and government, where confidential data is exchanged daily. It’s dangerous to believe that basic TLS is enough to stop downgrade attacks.

3. Neglecting the Foundation: SPF & DNSSEC Errors

A house built on a weak foundation will crumble. The same is true for email security. The 14% of domains with incorrect or missing SPF records risk their legitimate emails being marked as spam or rejected entirely, causing business disruption. More critically, 95.4% of domains without DNSSEC are vulnerable to DNS hijacking.

4. The “Set and Forget” Mentality

Email authentication is not a one-time setup; it is an ongoing process of management. The low enforcement rates and persistent SPF errors suggest that many organizations implement a basic configuration and then fail to manage it. New email vendors, marketing platforms, and third-party services are being added. With no monitoring and updating of SPF and DMARC records, organizations lose control of their email ecosystem.

Why PowerDMARC: Your Partner in Domain Authentication

Navigating the complexities of email authentication and achieving a robust domain security posture requires expertise, visibility, and control. PowerDMARC provides a cloud-based platform and managed services designed to address several vulnerabilities identified in this report and guide Peruvian organizations from a state of passive risk to one of active defense.

A Clear Path to Enforcement

At PowerDMARC, we eliminate the fear and complexity of moving to a p=reject policy. We turn DMARC from a reporting tool into a powerful defense mechanism.

Simplified, Hosted Security

The low adoption of MTA-STS and DNSSEC is often due to perceived complexity. PowerDMARC offers hosted, easy-to-deploy solutions that remove the configuration burden from your team.

Unified Visibility

Our platform consolidates DMARC, SPF, DKIM, MTA-STS, TLS-RPT, and BIMI into a single, user-friendly dashboard, so you can view your whole security posture in one platform.

Automated and Intelligent Management

Say goodbye to SPF errors and manual record management. Our platform includes automated tools like PowerSPF, which dynamically optimizes your SPF record to prevent “too many lookups” errors.

Expert Guidance at Every Step

We are more than a software provider; we are your dedicated domain security partner. Our team of experts provides personalized guidance, from initial assessment to full enforcement and ongoing management.

Actionable Threat Intelligence

Transform raw DMARC data into actionable insights. Our platform helps you visualize your email traffic, detect any unauthorized senders, and prevent the next phishing attack with the help of advanced threat intelligence.

Book a demo Contact us

The Path Forward: From Passive Monitoring to Active Defense

Peru stands at an important juncture. The foundational awareness of email authentication is present, but it has created a false sense of security. The reliance on monitoring-only policies and the lack of transport-layer encryption leave the door open for hackers to enter and attack.

Organizations must shift their mindset from passive observation to active defense. This requires a commitment to:

  1. Full DMARC Enforcement: Organizations in Peru should move beyond p=none to a p=reject policy is the only way to proactively stop domain spoofing and phishing attacks.

  2. Securing Data in Transit: It is important to adopt MTA-STS to close the door on email interception.
  3. Validating the DNS Foundation: DNSSEC is indispensable for preventing DNS hijacking and ensuring that all other email security measures rest on a trusted foundation.

PowerDMARC provides the expertise, tools, and managed services to guide Peruvian organizations through this journey. Our integrated platform simplifies the complexities of SPF, DMARC, MTA-STS, and DNSSEC, so you can transition swiftly and securely to a fully protected email ecosystem.

The time for awareness is over. The time for action is now.

Contact [email protected] for a personalized consultation to enhance your email security posture today.

Start 15-day trial Book a demo