Email Phishing and DMARC Statistics: 2026 Email Security Trends

Phishing attacks are among the most common and costly cyber threats affecting anyone using the Internet. These attacks, often disguised as legitimate emails, trick people into sharing sensitive information or unknowingly downloading harmful software, with billions lost yearly.

To combat this, organizations are turning to DMARC (Domain-based Message Authentication, Reporting, and Conformance). DMARC is an email authentication protocol designed to prevent email spoofing, a tactic at the heart of most phishing schemes. Yet, despite its effectiveness, many companies have yet to adopt DMARC, resulting in billions of dollars lost each year. DMARC statistics consistently show that email spoofing remains one of the primary entry points for phishing campaigns.

To address this risk, we’ve highlighted the most common phishing tactics, the risks,  and how they exploit email vulnerabilities. We will also explain how DMARC can effectively protect your organization from email spoofing, a major contributor to phishing attacks.

Simplify Security with PowerDMARC!

Key Cybercrime Statistics

The global number of cyberattacks over recent years tells a clear trend: cyber threats continue to grow in scale and sophistication. Back in 2016, there were about 4.3 million reported attacks worldwide, but just five years later, that number had surged to more than 19 million (a spike largely driven by the massive shift to online activity during the pandemic). And the trend hasn’t slowed. In the first half of 2025 alone, more than 8,000 data breaches exposed roughly 345 million records, underscoring just how serious and persistent cyber threats remain.

Experian’s 2026 Data Breach Industry Forecast points to growing concern about the use of artificial intelligence in cybercrime. The report notes that AI is making attacks more advanced and harder to detect, allowing criminals to create convincing fake identities and automate attacks faster than traditional defenses can respond.

Top crime types

Investment fraud: The costliest category of cybercrime, with $6.5 billion in losses, primarily driven by scams like cryptocurrency “pig butchering” that combine social engineering with digital finance.

Business email compromise (BEC): A persistent threat targeting organizations’ financial processes, resulting in $2.9 billion in reported losses and highlighting how attackers exploit trusted communication channels.

Ransomware: While reported financial losses have risen over recent years, the true cost often stems from operational impacts; in 2025, organizations hit by these attacks were down for an average of 24 days, with lost productivity, stalled operations, and recovery expenses often far outweighing the ransom itself.

These trends show that as technology changes, cyberattacks change with it, and organizations that understand how these threats work are better positioned to protect themselves.

Phishing scams

Not all cyberattacks are created equal, and when we look at the data by type, some interesting patterns emerge.

Phishing attacks grew dramatically during the pandemic, rising from about 0.44 million in 2016 to nearly 9 million by 2023, as more people relied on digital communication.  In 2025, phishing is still one of the biggest cyber threats. Attack volumes are projected to stay close to 5 million annually, not because the tactics are new but because they work. These attacks are not only harmful but also expensive. On average, a single phishing-related breach costs organizations around $4.88 million, showing how damaging these attacks can be.

Phishing has become one of the easiest ways for attackers to break in, steal login details, and trigger larger attacks, which is why stopping malicious emails remains a top cybersecurity priority.

Personal data breaches

Personal data breaches ranked second globally, with 1.66 million incidents reported worldwide. Personal data breaches occur when unauthorized parties gain access to sensitive information such as names, email addresses, login credentials, financial details, or medical records. This often shows up as hacked databases, exposed customer records, leaked employee details, or cloud storage that was left open or improperly secured.

Other major cybercrime categories followed:

• Extortion – 1.39 million
• Investment fraud – 1.18 million
• Tech support scams – 1.1 million
• Identity theft – 0.59 million
• Credit card fraud – 0.41 million

These numbers make it clear that cybercrime is still largely about two things: exposing data and exploiting it for financial gain.

Cybercrime in the U.S.

In the United States, phishing and spoofing were the most frequently reported cybercrime categories in 2024, according to the FBI’s Internet Crime Complaint Center (IC3). This mirrors global trends, reinforcing phishing as the most widespread and persistent cyber threat, given its low barrier to entry and reliance on human trust.

Other types of cybercrime were still common, even if they showed up less often overall:

Personal data breaches: Continued to impact tens of thousands of individuals, involving unauthorized access to sensitive personal or financial information.

Tech support fraud: A common scam type in which attackers pose as legitimate technical support to extract payments or remote access from victims.

Non-payment/non-delivery scams: Still widely reported, particularly in online marketplaces, where victims pay for goods or services that are never delivered.

Extortion: Reports remained steady, including threats tied to data exposure, account compromise, or known ransomware tactics.

Cybercrime worldwide

Globally, cybercrime has impacted a significant share of adults, with some types more common than others. For instance, 41% of online adults report experiencing viruses or malware on their devices. Phishing scams are also common, affecting about 30% of users, while mobile/SMS scams have impacted 35%.

For nearly a decade, the frequency of these threats accelerated significantly, with cases of global cyberattacks nearly doubling as criminal methods became more sophisticated and frequent.

The cost of cybercrime

Cyberattacks have become increasingly sophisticated and, with that, increasingly costly. In 2018, global cybercrime costs were estimated at $860 billion. By 2024, that figure had risen to an estimated $9.22 trillion, and projections for 2025 place global cybercrime costs at approximately $10.5 trillion annually, reflecting nearly a tenfold increase in just a few years. 

Recent major incidents

The first quarter of 2025 brought another wave of high-profile cyberattacks and data breaches, affecting millions of individuals and organizations around the world. Attackers took advantage of everything from software vulnerabilities to weak third-party security, showing just how many entry points still remain exposed.

• Coupang Data Breach: South Korea’s largest online retailer confirmed a massive breach that exposed personal information of over 33 million customers, prompting executive resignations and government scrutiny.
• 700Credit Breach: Hackers accessed a third-party API, exposing sensitive data from more than 5.8 million people at the credit-checking and identity services provider.
• Oracle E-Business Suite Campaign: Attackers exploited a zero-day vulnerability in Oracle’s EBS platform, tied to breaches at educational and financial institutions, leading to large-scale data theft and extortion demands.
• Salesforce/Gainsight Supply Chain Breach: A compromise of the Gainsight customer support platform resulted in the theft of data from 200+ companies using Salesforce services.
• Qantas Data Leak: Hackers leaked personal records of about 5 million Qantas customers on the dark web after a ransom deadline passed, part of a broader campaign affecting many major firms.

Similar breaches continue to target both large global enterprises and critical third-party systems, resulting in wide-ranging impacts on privacy, trust, and operational continuity.

Phishing Statistics

Phishing activity continued to rise sharply in 2025, with over 1 million phishing attacks reported in Q1 alone, according to APWG data. This shows that phishing remains popular because it easily exploits trust and everyday online habits.
Scammers relied heavily on attention-grabbing words like “Urgent,” “Sign,” “Password,” “Document,” and “Delivery” to lure people in, along with financial terms like “Payment,” “Wire transfer,” “BACS,” “Credit,” and “Purchase.”

These words were strategically chosen to prompt people to act without second-guessing, a reminder of how sophisticated phishing tactics have become in their pursuit of personal and financial information.

Email phishing statistics

Data from the APWG Phishing Activity Trends Reports shows a steady and accelerating rise in phishing attacks over the past several years, with email remaining the primary delivery method.

• 2022: Phishing activity rose quickly over the year, growing from a few million attacks per month early on to well over 4 million per month by mid to late 2022, showing that large-scale phishing had become the norm rather than the exception.
• 2023: Phishing attacks routinely topped 5 million per month and surged toward the end of the year, reaching record highs by December 2023 as attacks became both more frequent and larger in scale.
• 2024: APWG reports indicate that phishing volumes remained consistently high throughout the year, driven by increased use of brand impersonation, credential harvesting, and email-based social engineering. Attack levels stabilized at historically elevated ranges rather than returning to pre-2022 norms.
• 2025: Early APWG data shows phishing activity continuing at scale, with over one million attacks reported in Q1 alone, confirming that phishing remains one of the most persistent and effective cybercrime methods. Automation and AI-assisted tactics have further increased attackers’ reach and efficiency.
• 2026 (Outlook): APWG forecasts indicate that phishing will keep growing in 2026, as AI makes scams easier to create, impersonation more believable, and attacks spread beyond email into cloud services and collaboration tools.

Phishing is no longer cyclical or temporary. It has become a permanent, high-volume threat that organizations must actively manage year after year.

Phishing site trends

Phishing site trends track the number of unique websites created specifically to host phishing pages, giving insight into how actively attackers are building infrastructure to support scams. These sites are often short-lived, frequently taken down and replaced, which makes their volume a useful indicator of phishing activity over time.

The number of unique phishing sites has fluctuated over the years, with a notable peak in 2022 and early 2023, when more than one million sites were detected per quarter. After this surge, activity declined steadily through 2024, dropping to around 877,536 unique sites, suggesting a temporary slowdown in new site creation.

However, this decline did not last. According to the APWG Q2 2025 report, over one million unique phishing websites were detected again in Q2 2025, signaling a renewed increase in phishing infrastructure. This increase shows that attackers adapt quickly, creating new sites as defenses improve, which keeps phishing an ongoing threat.

Phishing attacks by industry

Phishing remains one of the most widely used attack methods across industries, largely because it targets people rather than systems. In 2025, attackers increasingly rely on AI-driven phishing tactics, including highly personalized emails, realistic brand impersonation, and messages generated at scale that closely mimic internal communication styles. These techniques have made phishing harder to spot and more effective as an entry point for broader attacks.

Phishing continues to affect nearly every sector, though its role and frequency vary by industry:

• Media Production: One of the most heavily targeted sectors, where phishing is commonly used to gain initial access to operational systems and supply-chain workflows.
• Government and Public Sector: Phishing remains a leading attack method, driven by the high value of sensitive data and widespread use of public-facing email infrastructure.
• Manufacturing: Frequently targeted due to complex supply chains and reliance on email-based coordination, making phishing an effective entry point.
• Finance and Insurance: A frequent target because of direct financial incentives, with phishing often used to steal credentials, initiate fraud, or redirect payments.
• Energy and Utilities: While other attack vectors are also common, phishing continues to play a role in credential theft and early-stage access attempts.
• Entertainment: Targeted through phishing campaigns aimed at account takeovers, intellectual property theft, and access to production or distribution systems.
• Transportation and Logistics: Increasingly targeted as attackers exploit interconnected systems, third-party vendors, and time-sensitive operations.
• Healthcare and Pharma: A consistent target due to sensitive patient data and time-pressured staff, which can make phishing emails harder to spot.
• Travel and Tourism: Frequently targeted because of high transaction volumes and extensive customer communication via email.
• Retail and Consumer Services: Phishing is commonly used to compromise employee credentials and gain access to customer data or payment systems.

To reduce phishing risk, organizations across all industries benefit from a layered approach. This includes employee awareness training tailored to real attack patterns, strong email authentication and filtering, regular testing through simulated phishing, and clear internal reporting processes. As phishing tactics continue to evolve with AI, prevention depends as much on informed users as it does on technical controls.

Targeted online industry sectors

In Q2 2025, phishing attacks most frequently targeted financial institutions (18.3%), closely followed by SaaS/Webmail platforms (18.2%). E-commerce and retail accounted for 14.8% of attacks, while payment services represented 12.1%, and social media platforms 11.3%. These sectors continue to attract attackers because they support high volumes of digital transactions, store valuable credentials, and provide direct paths to financial fraud and account takeover.

Most targeted countries

In 2025, the countries most frequently targeted by cyberattacks are led by the United States, followed by Ukraine, Israel, Japan, and the United Kingdom. Other countries consistently appearing among the most targeted include Saudi Arabia, Brazil, India, Germany, and Poland. 

This ranking reflects overall attack volume and risk concentration rather than the share of individual users who were phished, and it’s tied to factors such as large digital economies, high-value industries, and conflict-driven spikes in malicious activity.

Top domains used in phishing

Phishing sites continue to rely on familiar top-level domains to appear legitimate, but abuse is increasingly concentrated in a mix of legacy and newer TLDs. Between February and April 2025, “.com” remained the most abused TLD by volume, with more than 142,000 phishing domains reported, reflecting its massive global footprint. However, alternative and newer TLDs now account for a disproportionate share of phishing activity, including “.top,” with over 70,000 phishing domains, as well as “.xyz,” “.bond,” and “.vip,” which show significantly higher phishing density relative to their size. 

This shows how attackers are pairing user trust in common domains with the low cost and weaker oversight often associated with newer or niche TLDs.

Most targeted brands

Phishing campaigns increasingly rely on brand impersonation to build credibility and increase success rates. Rather than targeting a broader range of brands, recent activity shows a concentration around a smaller set of globally trusted platforms that anchor users’ digital lives.

By Q2 2025, attackers overwhelmingly focused on technology, communication, and consumer platforms with massive daily user bases. This suggests less emphasis on expanding the number of brands targeted, and more focus on high-impact impersonation of brands that grant access to email, cloud services, payments, and personal data.

Most impersonated brands in online phishing (Q2 2025)

Attackers continue to prioritize brands with global reach and habitual user interaction. In Q2 2025, the most impersonated brands were:

Microsoft – 25%

Google – 11%

Apple – 9%

Spotify – 6%

Adobe – 4%

LinkedIn – 3%

Amazon – 2%

Booking.com – 2%

WhatsApp – 2%

Facebook – 2%

This shows a clear change from earlier years, when retail brands were the main phishing targets. Today, attackers focus more on account-based platforms, aiming to steal logins, take over accounts, and use them for further fraud.

Notable brand phishing campaigns in Q2 2025

Spotify phishing returned to the top rankings for the first time since 2019, with attackers replicating official login pages and routing victims through fake payment flows to harvest both credentials and card details. The campaign demonstrated how convincingly entertainment brands can be weaponized when users expect regular billing or account alerts.

Booking.com impersonation surged sharply, with researchers identifying more than 700 newly registered domains designed to mimic booking confirmation pages. These scams stood out for their use of personalized victim data, which heightened urgency and believability, especially for travelers expecting legitimate confirmation emails.

Countries of origin for phishing attacks

According to the latest figures, China is the largest source of global cyberattack traffic, accounting for over 40% of observed activity. Russia follows at around 15%, and the United States accounts for about 10%, largely because compromised U.S.-based systems are often hijacked and used to launch attacks.

Other notable sources include India (about 5% of global phishing and malware activity), Brazil (the leading source within Latin America, representing around 30% of regional attacks), and Vietnam, which is described as a fast-rising origin point for cyberattack activity.

Phishing attacks using AI

According to a study, 95% of IT leaders say cyberattacks are now more sophisticated than ever, and AI-powered attacks have increased by 51% in recent years. This shift has left many IT leaders feeling exposed, with 35% saying they’re worried about their ability to stop these attacks effectively.

That concern lines up with what newer trend reporting is seeing: deepfake impersonations increased by 15% over the last year, and these incidents often go after high-value individuals, especially in finance and HR, where access and approvals can unlock money, payroll changes, or sensitive records. 

Time-saving advances with AI-generated phishing

Manually writing a convincing phishing email takes around 16 hours on average. With AI tools, a convincing message can be produced in as little as 5 minutes, saving cybercriminals almost two full days per email.

That time advantage makes it easier to run large campaigns, test different versions of the same lure, personalize messages faster, and scale attacks across email plus other channels without spending much effort per target.

Phishing and QR codes

QR code phishing is a technique where attackers hide malicious links inside QR codes and distribute them through emails, documents, flyers, or invoices. When a user scans the code with a phone, they are redirected to a phishing site or a page that prompts them to enter credentials or payment details. Because QR codes are images rather than readable URLs, users cannot easily see where the link leads before scanning, and many email security tools struggle to inspect them effectively.

Creating a QR code requires little effort or expertise. Publicly available QR code generators allow anyone to turn a URL into a scannable image in seconds. These tools are widely used for legitimate purposes such as payments, event access, and marketing, but attackers exploit the same services to disguise phishing links. Some generators also allow the destination link to be changed after the QR code is created, making it easier to rotate phishing pages and evade detection.

Recent industry reporting shows how quickly this tactic has scaled. During Q2 2025, security researchers recorded over 635,000 unique malicious QR codes embedded in phishing emails. Looking at a broader window, more than 1.7 million unique malicious QR codes were observed over the six-month period spanning Q4 2024 and Q1 2025. These figures demonstrate that QR codes are no longer a niche phishing technique, but a widely used delivery method as attackers shift toward mobile-first and image-based deception.

DMARC Statistics

As phishing and domain spoofing continue to evolve, managed DMARC solutions have become an important part of modern email security. They allow organizations to monitor authentication results, identify unauthorized sending sources, and ensure legitimate messages are delivered without unnecessary disruption.

Updated email authentication standards were introduced in early 2024 by Google and Yahoo. Under these rules, any organization sending more than 5,000 emails per day to Gmail or Yahoo Mail users is required to implement DMARC. Enforcement hasn’t been a sudden, all-or-nothing shift; mailbox providers have been tightening compliance gradually instead of blocking everything on day one.

Since these updates rolled out, providers have reported a 65% reduction in unauthenticated email reaching Gmail inboxes—a clear sign of how quickly stronger authentication requirements can reshape what actually gets delivered.

These rules extend beyond basic SPF, DKIM, and DMARC alignment. Bulk senders must also keep spam complaint rates below 0.3% and support one-click unsubscribe functionality. Senders that fail to meet these standards risk having messages throttled, rejected, or routed directly to spam folders, even if authentication is technically in place. This shift signals a move from simple identity verification toward broader sender behavior and hygiene enforcement.

Despite this momentum, adoption remains uneven. Deliverability data shows DMARC usage continued to grow, but coverage is far from universal. Q2 2025 analysis indicates that only about 18% of the world’s 10 million most-visited domains publish a valid DMARC record, and just around 4% fully enforce a reject policy. This leaves the vast majority of domains still vulnerable to spoofing and brand impersonation.

As enforcement continues to tighten across major mailbox providers, these requirements are expected to affect all organizations that rely on email, not just high-volume marketers. Companies that delay implementing and enforcing SPF, DKIM, and DMARC risk increasing delivery issues, higher phishing exposure, and reduced trust in their domains as authentication standards continue to mature.

DMARC adoption by country

DMARC adoption continues to vary widely by region, with only a small number of countries showing both broad coverage and meaningful enforcement.

Among the countries analyzed, Sweden stands out for consistently higher DMARC adoption and stronger use of enforcement policies, particularly when compared with peers. Norway also shows relatively strong enforcement in key sectors, especially finance and healthcare, though gaps remain elsewhere.

By contrast, the Netherlands demonstrates high awareness but uneven implementation, with a large share of domains still lacking DMARC and limited enforcement across several sectors.

Even in the most advanced markets, no country has achieved the level of universal coverage and enforcement required to fully prevent large-scale spoofing and brand impersonation, emphasizing that coordinated policy, sustained awareness, and consistent enforcement are still works in progress rather than finished outcomes.

Recent country-level DMARC research (PowerDMARC)

Recent country-specific research by PowerDMARC highlights how cyber risk profiles and existing email-security maturity shape DMARC adoption and enforcement outcomes:

Norway

• Cyber risk narrative: Rising exposure to phishing and social-engineering fraud has increased pressure on both public and private digital communications, particularly as financial scams and identity theft affect a growing share of the population.
• Email-security pattern: Norway shows comparatively strong DMARC maturity, driven largely by regulated sectors. In the financial sector, DMARC adoption is nearly universal, with only 6.8% of domains lacking a DMARC record, while healthcare leads in enforcement quality, with 55.6% of domains using a strict “reject” policy. By contrast, adoption remains uneven across the broader economy. The transport sector lags significantly, where 28.8% of domains still operate without DMARC and only 9.1% enforce rejection, creating exploitable gaps despite the country’s overall progress. These sectoral imbalances, combined with minimal MTA-STS deployment and only moderate DNSSEC adoption, mean that authentication gains are not consistently reinforced by transport and domain-integrity protections.

Morocco

• Cyber risk narrative: Elevated cyber risk is driven by high volumes of malware and banking trojan activity, repeated attacks on media and public institutions, and broad exposure across both commercial and government sectors.
• Email-security pattern: DMARC adoption in Morocco remains uneven and largely unenforced. While the insurance sector shows relatively higher adoption, with 66.67% of domains publishing a DMARC record, most other industries lag far behind. Pharmaceutical domains, for example, show adoption as low as 12.50%, reflecting minimal baseline protection. Enforcement is even weaker. Only 11.11% of insurance-sector domains apply a strict “reject” policy, while entire industries, including banking, education, construction, food and beverages, and pharmaceuticals, have no domains enforcing rejection at all. In the absence of meaningful DMARC coverage across most sectors, and with no supporting transport or DNS protections in place, email-based impersonation remains structurally easy to exploit across the economy.

Tunisia

• Cyber risk narrative: Rising cyber risk is driven by increasing attacks on industrial and government sectors, growing financial losses from phishing and fraud, and uneven protection across critical institutions.
• Email-security pattern: DMARC adoption in Tunisia remains inconsistent across sectors, with no industry approaching comprehensive coverage. The education sector shows the highest adoption rate at 42.62%, yet the majority of domains, even in this leading sector, still lack DMARC. Government domains lag significantly, with only 18.39% publishing a DMARC record, exposing trusted public communications to spoofing. Finance and telecommunications show moderate adoption at 32.71% and 33.33%, respectively, reflecting partial awareness without widespread enforcement. Without broader DMARC adoption and with no reinforcement from transport-layer or DNS security, these gaps leave email communications widely exposed across both public and commercial domains.

Netherlands

• Cyber risk narrative: Heightened cyber risk stems from increasingly sophisticated state-sponsored activity and broad sector exposure, as reflected in national security assessments and preparations for NIS2 enforcement.
• Email-security pattern: DMARC adoption in the Netherlands varies sharply by sector, revealing strong protection in some areas and significant gaps in others. Government domains show relatively high adoption, with just over 1% operating without DMARC, indicating strong baseline protection for official communications. Healthcare and education also perform better than average, with approximately 25% of healthcare domains and 13% of education domains lacking DMARC. By contrast, adoption remains weak across several critical industries. In transport, roughly 65% of domains operate without DMARC, while telecommunications shows a similarly high gap. While leading sectors demonstrate stronger baseline controls, the lack of consistent DMARC adoption across transport, telecommunications, and finance, combined with weak transport and DNS safeguards, creates uneven protection at scale.

Sweden

• Cyber risk narrative: Near-universal internet connectivity and a sharp rise in ransomware and extortion-based attacks have increased national exposure, prompting coordinated government action while leaving email-based threats a persistent risk.
• Email-security pattern: Sweden demonstrates relatively high DMARC adoption across major sectors, though coverage remains incomplete. The banking sector shows the strongest adoption, with approximately 84% of domains publishing a DMARC record, reflecting higher baseline protection in a tightly regulated industry. By contrast, the media sector trails other industries, with adoption at around 69%, leaving a meaningful share of domains without authentication safeguards. Telecommunications also lags behind leading sectors, resulting in uneven protection of critical communications infrastructure. Despite comparatively higher DMARC adoption overall, limited deployment of transport and DNS protections constrains the effectiveness of authentication across the wider email ecosystem.

Peru

• Cyber risk narrative: Rapidly rising phishing, ransomware, and impersonation attacks have increased national exposure amid accelerating digitalization, with growing awareness but persistent enforcement gaps leaving critical sectors exposed.
• Email-security pattern: DMARC adoption in Peru reflects broad awareness but uneven coverage across industries. While approximately two-thirds of analyzed domains publish a DMARC record, around 33% still operate without DMARC, leaving a significant portion of email traffic unprotected against spoofing. Sector-level gaps are pronounced. In healthcare, more than 37% of domains lack DMARC, while telecommunications shows even weaker coverage, with over 43% operating without any DMARC record. Transport and logistics also remain exposed, with roughly 36% of domains lacking DMARC, and financial services show incomplete adoption, with one in four domains still unprotected. These adoption gaps, reinforced by the near absence of transport-layer encryption and minimal DNS protection, leave a large share of email traffic exposed despite growing awareness of authentication standards.

Belgium

• Cyber risk narrative: Sustained phishing and impersonation risk persists due to Belgium’s role as a hub for EU institutions, finance, media, and government communications, where trusted domains are frequently targeted despite stronger regulatory pressure.
• Email-security pattern: DMARC adoption in Belgium is relatively widespread but remains uneven across sectors. While a majority of analyzed domains publish a DMARC record, around 20.6% still operate without DMARC, leaving a significant attack surface for domain spoofing. Sector-level gaps are pronounced in critical areas. More than 26% of government domains lack DMARC, exposing public-sector communications to impersonation. The transport sector shows even weaker coverage, with approximately 36% of domains operating without DMARC, while healthcare remains partially exposed, with nearly 15% lacking protection. Financial services perform comparatively better, though gaps remain even in this highly targeted sector. As a result, high awareness does not consistently translate into protection, with limited transport-layer and DNS safeguards amplifying the impact of uneven DMARC adoption across sectors.

New Zealand

• Cyber risk narrative: Rising phishing and spoofing activity targeting government and public-sector domains has increased national attention on email trust, prompting mandatory reforms to protect official digital communications.
• Email-security pattern: DMARC adoption in New Zealand remains uneven across sectors despite growing awareness. While government domains show comparatively stronger coverage, with roughly 13% still lacking DMARC, adoption drops sharply elsewhere. The transport sector is the most exposed, with over 52% of domains operating without DMARC, creating a large attack surface for impersonation and fraud. The healthcare and media domains also show significant gaps: more than 40% lack DMARC, while telecommunications remains partially unprotected, with around 35% of domains operating without authentication safeguards. Overall, approximately 37% of New Zealand domains have no DMARC record at all. Outside a small set of better-protected public-sector domains, inconsistent DMARC coverage, combined with minimal transport and DNS security, continues to limit the resilience of national email communications.

Italy

• Cyber risk narrative: Despite strong national cybersecurity readiness, Italy continues to face significant phishing and spoofing activity, with email-based fraud driving major financial losses across government, healthcare, finance, and critical infrastructure.
• Email-security pattern: DMARC adoption in Italy remains uneven across sectors, leaving substantial portions of email traffic unprotected. Around 26% of analyzed domains lack a DMARC record, exposing organizations to direct domain spoofing. Gaps are particularly pronounced in the public and service-oriented sectors. Approximately one-third of government domains lack DMARC, while healthcare and transport each show similar exposure, with roughly one in four to one in three domains operating without protection. Telecommunications also remains partially unprotected, with about 30% of domains lacking DMARC. Financial services perform comparatively better, though gaps persist even in this high-risk sector. This disconnect between institutional readiness and operational email protection is reinforced by weak transport and DNS security, allowing sector-level DMARC gaps to persist across critical industries.

Germany

• Cyber risk narrative: Germany faces elevated cyber risk from email-based fraud and espionage targeting critical infrastructure sectors, including banking, healthcare, and transport, where trust and reliability are essential to national stability.
• Email-security pattern: DMARC adoption in Germany remains uneven despite strong foundational email authentication. While a majority of domains publish a DMARC record, approximately 32.3% still operate without DMARC, leaving nearly one in three organizations exposed to domain impersonation. Sector-level gaps are pronounced in critical areas. More than 42% of government domains lack DMARC, weakening trust in official communications. The healthcare sector is particularly exposed, with over 53% of domains operating without DMARC, while transport and logistics show significant gaps, with roughly 34% lacking protection. Education also remains partially exposed, with nearly 32% of domains without DMARC. Financial services perform comparatively better, though gaps persist even in this high-risk sector. In the absence of consistent DMARC adoption across critical sectors, and with limited reinforcement from transport and DNS controls, substantial portions of German email traffic remain structurally exposed.

One pattern shows up consistently across the data: when countries move beyond simple monitoring and actually enforce DMARC policies, the security gains are real and measurable. Domains with strict DMARC enforcement see fewer successful spoofing attempts, stronger sender reputations, and better inbox placement for legitimate email — clear proof that enforcement, not just adoption, is what makes the difference. By contrast, regions where DMARC remains in “monitor only” mode continue to see high levels of brand abuse despite having SPF and DKIM in place.

The takeaway is clear. Adoption alone is not enough. The countries making real progress are those that pair existing email authentication with active DMARC enforcement, setting a practical example for others still vulnerable to email-based attacks.

DMARC coverage by industry

DMARC adoption has improved across several industries, but coverage and enforcement remain uneven, even in high-risk sectors like banking.

While banking remains one of the strongest sectors relative to others, current protection levels still fall short of what is required to reliably safeguard sensitive financial interactions at scale.

Other industries continue to lag behind:

• Only around 52% of insurance and legal services firms have implemented DMARC, leaving a large attack surface for invoice fraud, impersonation, and credential harvesting.
• Aviation, semiconductors, computer software, and broader financial services sectors cluster just above the 45% adoption mark, with many domains either lacking DMARC or using non-enforcing policies.

Overall, adoption alone is no longer the core issue. The persistent gap lies in moving from presence to enforcement, particularly in industries where email trust directly translates into financial, operational, or public-safety risk.

DMARC policy trends

Regarding the DMARC implementation, most domains lack strict enforcement, limiting its full security benefits. A majority (68.2%) use a “none” DMARC policy, allowing emails that fail DMARC checks to be delivered without restriction. Only 12.1% use “quarantine” to send suspicious emails to spam, and just 19.6% have a strict “reject” policy to block non-compliant emails.

Although adopting stricter policies like p=quarantine or p=reject is essential for enforcement, many companies remain hesitant to make the shift:

• 25.5% of senders using p=none plan to upgrade to a stronger DMARC policy within the next year.
• 61% will only update their policy if required by regulatory or business needs.
• 13% have no plans to strengthen their policy, as they already meet current DMARC requirements.

AI and Phishing Attacks

According to a 2024 study, 95% of IT leaders report that cyberattacks are now more sophisticated than ever. The study highlights that AI-powered attacks have been increasing with a 51% rise over recent years. This shift has left many IT leaders feeling vulnerable, with 35% expressing concern about their ability to counteract such attacks effectively.

Time-saving advances with AI-generated phishing

Manually crafted phishing emails take an average of 16 hours to produce. However, with AI, a deceptive phishing email can be generated in as little as 5 minutes—saving cybercriminals nearly two days per email. This efficiency leap opens up large-scale attacks with minimal time investment.

Cybercrime Awareness and Prevention

The median time it takes for users to fall for phishing emails is alarmingly quick, often less than 60 seconds.

According to studies, human error is a critical vulnerability, playing a role in 74% of all breaches. Despite security training, people are still likely to click on phishing links due to ingrained habits or well-crafted social engineering tactics.

Only 1 in 4 employees feel that their organizations are fully prepared for phishing threats across channels. Compounding the issue, only 29% of phishing emails are accurately reported by employees, emphasizing gaps in both awareness and detection skills.

Prevent phishing attacks

Although complete cybersecurity protection is impossible, quick detection and response can dramatically reduce the impact of breaches on organizations and their customers. Luckily, DMARC offers an essential solution to the problem. 

Recent DMARC statistics bring to life the impact of DMARC on email security. Since implementing new sender requirements, Gmail has witnessed a 65% reduction in unauthenticated messages delivered. This substantial decline demonstrates the effectiveness of DMARC in reducing fraudulent emails. 

But it does not stop there! 50% more bulk senders have started adhering to best security practices, signaling a broader industry-wide adoption of DMARC and related protocols. Perhaps the most striking is the scale of change DMARC has brought to the global email ecosystem, with 265 billion fewer unauthenticated messages sent in 2024. This lower volume has been sustained and continues to face downward pressure, suggesting that DMARC enforcement is delivering a lasting structural reduction in unauthenticated email traffic.

Enhance email security

While DMARC plays a crucial role in email authentication, its effectiveness is significantly enhanced when combined with additional protocols like MTA-STS (Mail Transfer Agent Strict Transport Security) and BIMI (Brand Indicators for Message Identification). 

MTA-STS works by enforcing strict security policies for email transmission, ensuring that emails are transmitted over secure, encrypted channels. This eliminates the risk of emails being intercepted or tampered with during transit, adding another layer of protection.

On the other hand, BIMI helps brands improve both email security and visibility by displaying their logo next to authenticated emails in the inbox. This gives recipients a clear visual signal that the message is legitimate, making it easier to recognize trusted communications and build customer confidence.

The challenges of manual implementation

While DMARC, MTA-STS, and BIMI offer clear benefits, manual implementation of these protocols can be complex and error-prone. 

Setting up these protocols requires deep technical knowledge, especially when it comes to configuring DNS records and analyzing feedback reports. Without expert oversight, organizations risk exposing their email systems to potential threats.

Given the complexities involved, manual implementation is no longer viable for most businesses. This is where automated and managed email authentication services, such as PowerDMARC, come into play. 

PowerDMARC offers streamlined solutions for setting up and maintaining DMARC, MTA-STS, and BIMI, allowing you to fully leverage these protocols without the technical burden. PowerDMARC not only simplifies deployment but also provides continuous monitoring, real-time insights, and expert support, ensuring that email security remains robust and up to date.

What makes PowerDMARC stand out?

With numerous awards, glowing testimonials, and a proven track record of success, PowerDMARC is trusted by 10,000+ customers worldwide looking to enhance their email security.

G2 has recognized PowerDMARC as a leader in DMARC software for Fall 2024, highlighting our dedication to delivering top-tier email authentication solutions.

Get in touch to make the switch to PowerDMARC today and take control of your email domain. Protect your business, build trust, and ensure your communications remain secure.

What clients are saying

“Came for the aggregated DMARC reporting, stayed because of all the other features included!”
Drew Saum (CEO of ADI Cyber Services)

“Most comprehensive and excellent support!”
Ben Fielding, Fractional CTO

“PowerDMARC has been a game-changer for our IT team!”
Sebastián Valero Márquez, IT Manager at HispaColex Tech Consulting

“Since implementing PowerDMARC for all of our clients, it’s created a much easier process for both onboarding, monitoring, and making changes, even if we aren’t in control of the DNS services.”
Joe Burns, Co-founder and CEO of Reformed IT

Read more reviews

Final Thoughts

Phishing is a serious and costly threat, and attacks are becoming more sophisticated, especially with AI. Unfortunately, many organizations are still not fully prepared, lagging behind on essential defenses like advanced email filters, regular employee training, and secure login protocols, leaving them vulnerable to these attacks.

One powerful step companies can take is implementing DMARC (Domain-based Message Authentication, Reporting, and Conformance). DMARC helps verify that incoming emails genuinely come from the claimed sender, blocking many phishing attempts before they reach inboxes. 

However, to truly stay ahead of increasingly sophisticated tactics, organizations need to adopt a multi-layered approach, combining DMARC with vigilant monitoring, ongoing threat education, and a range of security tools. A single phishing email that slips through the cracks can lead to severe consequences, so it’s critical for companies to stay alert and continuously strengthen their defenses.

Frequently Asked Questions

How to view DMARC reports?

DMARC reports are sent to the email address specified in your DMARC record and arrive as XML files, usually daily.

How to know if DMARC is working?

DMARC is working if reports show emails passing SPF or DKIM alignment, and unauthenticated messages are being quarantined or rejected according to your policy.

What tool is used to read DMARC reports?

DMARC reports are read using a DMARC report analyzer, which converts raw XML files into clear, human-readable dashboards and summaries.

What is the difference between DKIM and DMARC?

DKIM verifies that an email hasn’t been altered in transit, while DMARC builds on DKIM (and SPF) to tell receiving servers what to do when authentication fails and to send reports back to the domain owner.

Sources

IBM

Experian

Cybercrime Magazine

IC3

APWG 1st Quarter Report

APWG Trends Reports

APWG 2nd Quarter Report

Cybercrime Information Center

• About
• Latest Posts

Maitham Al Lawati

Cybersecurity Expert, CEO at PowerDMARC

Maitham is a tech entrepreneur, cybersecurity expert, CEO and Founder of PowerDMARC with 15+ years of industry experience. Maitham holds a Global MBA from the University of Manchester and various professional certifications including CISSP, CISM, CRISC, and ISC2 CCSP.

Latest posts by Maitham Al Lawati (see all)

• Email Phishing and DMARC Statistics: 2026 Email Security Trends - January 6, 2026
• How to Fix “No SPF record found” in 2026 - January 3, 2026
• SPF Permerror: How to Fix Too Many DNS Lookups - December 24, 2025