Philippines DMARC & MTA-STS Adoption Report 2026

In recent years, Southeast Asia has faced an unprecedented escalation in sophisticated cyber threats, with ransomware attacks across the Asia-Pacific region surging by nearly 57%. The Philippines has emerged as a prime target within this rapidly digitizing economic block; data from global cybersecurity tracking shows that Association of Southeast Asian Nations (ASEAN) corporations now confront average data breach costs climbing to $3.23 million. While foundational technical configurations exist across many Philippine organizations, a widespread lack of strict active policy enforcement has created deep vulnerabilities across the nation’s most vital economic sectors, leaving corporate, public, and infrastructure communications open to active exploitation. 

At a Glance: Key Findings Across the Philippines

The national email security posture reveals the following trends:

Philippines SPF

SPF: 95.2% correct – A solid technical foundation has been successfully established nationwide, though minor misconfigurations (4.7% incorrect) and rare omissions (0.1% no record) still persist.

Philippines DMARC

DMARC: While visibility measures have been adopted by many, only 17.0% of domains enforce a strict “reject” policy. The remaining landscape sits weakly protected under p=quarantine (22.9%), monitoring-only p=none (23.1%), or outright exposes itself with 36.5% completely lacking a DMARC record.

Philippines MTA-STS

MTA-STS: A massive national blind spot with 99.4% non-adoption, leaving transport-layer email traffic highly vulnerable to interception across the country.

Philippines DNSSEC

DNSSEC: Only 12.3% enabled – Leaving a staggering 87.7% of domains vulnerable to sophisticated DNS hijacking, cache poisoning, and malicious traffic redirection.

Sector-by-Sector Analysis

1. Banking: High Awareness, Low Encryption

As the primary target for advanced financial fraud, Philippine banking institutions lead the country in strict DMARC enforcement, yet they remain thoroughly exposed to transport-layer interception.

Metric Status
SPF 94.3% correct (5.7% incorrect)
DMARC Reject 36.2% (National Leader)
DMARC Policies 26.7% at “quarantine”, 22.8% at “none”
DMARC Gap 14.3% have no record
MTA-STS 0.0% adoption (100.0% lack record)
DNSSEC 6.7% enabled (93.3% disabled)

Threat Scenario

With a 100.0% MTA-STS gap across the banking sector, critical transactional data travels via unencrypted paths. Attackers can execute “Downgrade Attacks” to strip opportunistically deployed encryption, intercepting high-value financial confirmation messages to reroute capital or harvest sensitive banking credentials.

The PowerDMARC Solution

With automated MTA-STS hosting, PowerDMARC forces all inbound email into encrypted TLS 1.2+ channels, removing the risk of Man-in-the-Middle (MiTM) interception and securing highly sensitive banking communication records.

2. Healthcare: Severe DMARC Defenses

Managing sensitive patient information with low strict enforcement makes the Philippine healthcare sector a prime target for data extortion and identity theft.

Metric Status
SPF 97.6% correct (2.4% incorrect)
DMARC Reject 19.3%
DMARC Policies 21.7% at “quarantine”, 20.5% at “none”, 1.2% incorrect
DMARC Gap 37.3% lack DMARC entirely
MTA-STS 0.0% adoption (100.0% lack record)
DNSSEC 9.6% enabled (90.4% disabled)

Threat Scenario

A severe combined gap of missing DMARC records (37.3%) or passive tracking policies allows attackers to easily spoof hospital and medical clinic domains. Threat actors can deliver realistic “Patient Health Updates” or fake medical supply invoices containing malicious ransomware payloads directly to medical staff.

The PowerDMARC Solution

We guide healthcare providers through a structured implementation path to move smoothly from monitor mode to a strict p=reject policy, neutralizing phishing campaigns before they reach clinical staff inboxes.

3. Government: Infrastructure Built on Soft Monitoring

Official communications carry the weight of the state. While government networks show excellent foundational setup, soft monitoring rules leave an open door for manipulation.

Metric Status
SPF 98.2% correct (1.8% incorrect)
DMARC Reject 6.2%
DMARC Policies 24.1% at “quarantine”, 25.9% at “none”
DMARC Gap 43.8% lack DMARC entirely
MTA-STS 0.0% adoption (100.0% lack record)
DNSSEC 16.1% enabled

Threat Scenario

With only 6.2% of government domains actively rejecting spoofed emails and 43.8% completely unconfigured, state agency identities are highly vulnerable. Threat actors can successfully impersonate official departments to spread false regulatory directives or spear-phish government employees.

The PowerDMARC Solution

Our multi-tenant dashboard lets central public agencies monitor and secure vast networks of subdomains (e.g., .gov.ph) from a single panel, simplifying the transition to strict p=reject.

4. Education: Strong Infrastructure, Weak Policy Enforcement

Academic centers host vast sums of student data and research intellectual property, displaying strong foundational alignments but noticesably relaxed enforcement metrics.

Metric Status
SPF 98.4% correct (1.6% no record)
DMARC Reject 19.4%
DMARC Policies 9.7% at “quarantine”, 25.8% at “none”
DMARC Gap 45.2% lack DMARC entirely
MTA-STS 0.0% adoption (100.0% lack record)
DNSSEC 19.4% enabled (Sector Leader)
Education DNSSEC Adoption - Philippines

Threat Scenario

Attackers exploit the high percentage of missing DMARC records (45.2%) to spoof academic departments, distributing look-alike “Tuition Payment Portal” updates to students or fake peer-review links to faculty to siphon login credentials and financial details.

The PowerDMARC Solution

Academic institutions often exceed the 10-DNS lookup limit due to decoupled departmental cloud software tools. PowerSPF compresses these configurations, ensuring legitimate university correspondence is never accidentally dropped due to technical limitations.

5. Energy: Critical Supply Chain Blind Spot

The energy sector displays decent basic alignment but leaves half of its domain ecosystem completely unmonitored.

Metric Status
SPF 85.2% correct (14.8% incorrect)
DMARC Reject 9.3%
DMARC Policies 29.6% at “quarantine”, 11.1% at “none”
DMARC Gap 50.0% lack DMARC entirely
MTA-STS 0.0% adoption (100.0% lack record)
DNSSEC 13.0% enabled
Energy SPF Adoption - Philippines

Threat Scenario

With exactly half (50.0%) of energy domains completely lacking DMARC protection, criminals can easily spoof equipment manufacturers and utility suppliers. These fake communications are used to issue fraudulent supply chain requests or introduce malicious files designed to pivot into operational technology environments.

The PowerDMARC Solution

PowerDMARC binds DMARC validation with hosted MTA-STS protocols, verifying sender legitimacy while guaranteeing that messages passing through outside nodes remain fully encrypted.

6. Media: High Vulnerability and Low Defenses

Media institutions face high public visibility, where weak email controls allow bad actors to weaponize an outlet’s public trust.

Metric Status
SPF 93.8% correct (6.2% incorrect)
DMARC Reject 5.3% (Sector Low)
DMARC Policies 14.2% at “quarantine”, 29.2% at “none”, 1.8% incorrect
DMARC Gap 49.5% have no record
MTA-STS 0.0% adoption (100.0% lack record)
DNSSEC 14.2% enabled
Media DMARC Adoption - Philippines

Threat Scenario

A severe 49.5% absence of DMARC records coupled with a lowest-in-country enforcement rate of 5.3% lets attackers forge media domain names to distribute fake news stories, false press releases, or phishing emails to corporate communications, causing serious public trust fallout.

The PowerDMARC Solution

We help media companies configure Brand Indicators for Message Identification (BIMI), placing verified corporate logos directly inside recipient inboxes as a certified stamp of authenticity.

7. Telecommunications: High Quarantine, Low Active Rejection

Telecoms operate as the digital foundation of the country, yet a reactive approach places millions of mobile and internet subscribers at risk.

Metric Status
SPF 96.2% correct (3.8% incorrect)
DMARC Reject 23.1%
DMARC Policy 50.0% at “quarantine” (Sector Leader), 15.4% at “none”
DMARC Gap 11.5% have no record
MTA-STS 3.8% valid
DNSSEC 3.8% enabled
BIMI Logo

Threat Scenario

Scammers masquerade as telecom network operators to issue emergency “Suspended Account” notices. Because half (50.0%) of telecom domains sit passively at p=quarantine rather than being blocked outright, spoofed messages may still bypass filters or show up in junk folders, giving scammers an avenue to extract subscriber data and facilitate SIM-swap attacks.

The PowerDMARC Solution

We enforce an immediate transition to p=reject across carrier ecosystems, stopping attackers from leveraging legitimate telecom identifiers to exploit the subscriber base.

8. Transport: Moving Toward Security

Logistics operators rely heavily on continuous information exchange; any breakdown in trust can disrupt physical supply lines.

Metric Status
SPF 95.3% correct (4.7% incorrect)
DMARC Reject 22.1%
DMARC Policies 26.7% at “quarantine”, 22.1% at “none”
DMARC Gap 29.1% lack DMARC entirely
MTA-STS 3.5% valid (96.5% no record)
DNSSEC 11.6% enabled
Transport SPF Adoption - Philippines

Threat Scenario

Missing DMARC records (29.1%) give criminals an easy opening to copy transport company identities, sending modified shipping manifests or altered routing details to logistics partners to siphon freight payments into fraudulent accounts.

The PowerDMARC Solution

PowerDMARC safeguards the commercial landscape by ensuring every delivery manifest and automated invoice is authenticated and verified before it arrives at a partner gateway.

Under the Hood: Four Structural Weaknesses

1. The “Compliance Trap” of p=none

Many Philippine enterprises configure a basic DMARC record but stop short at a p=none policy (averaging 23.1% nationally). This grants visibility over domain traffic but provides zero preventative barriers against outbound domain spoofing.

Expert insight:

“While organizations in the Philippines are beginning to achieve decent technical visibility, they remain highly vulnerable to spoofing campaigns until they actively transition to an enforced ‘reject’ state. Real defense isn’t achieved by just monitoring the threat; it requires denying entry at the gateway.”

Maitham Al Lawati, CEO, PowerDMARC

Expert insight:

“The complexity of modern enterprise stacks means large corporate groups are constantly facing lookup threshold errors. Implementing automated SPF Flattening is a core requirement for protecting delivery continuity and protecting sender trust.”

Yunes Tarada, Service Delivery Manager, PowerDMARC

2. SPF Complexity and the 10-Lookup Limit

As local corporations integrate a broad array of third-party cloud apps, payroll processors, and marketing tools, their SPF records regularly exceed the standard 10-DNS-lookup limit. This structural failure causes legitimate corporate communications to fail validation checks and get dropped into spam.

3. MTA-STS: The Encryption Blind Spot

With 99.4% of Philippine domains operating without MTA-STS, email transport relies on opportunistic encryption. This exposes communication to downgrade attacks where data is extracted in clear plaintext.

Expert insight:

“Relying on opportunistic encryption creates a false sense of security. Without MTA-STS enforcement, a threat actor can easily force mail transfers into clear text via network-level manipulation. For Philippine operators, deploying managed encryption paths is critical to maintaining end-to-end payload confidentiality.”

Ayan Bhuiya, Operations & Delivery Shift Lead, PowerDMARC

Expert insight:

“DNS hijacking can erase years of earned corporate trust in a matter of seconds. Implementing DNSSEC provides the cryptographic verification needed to guarantee that internet traffic reaches your legitimate servers rather than an adversary’s replica.”

Ahona Rudra, Marketing Manager, PowerDMARC

4. DNSSEC: The Foundation of Brand Trust

With an overall adoption rate of just 12.3%, the remaining 87.7% gap leaves companies massively exposed to malicious path redirection and cache poisoning attacks.

Global Benchmarking: Philippines in Context

The Philippines presents itself as an emerging environment with strong foundational accuracy (SPF) but lingering significantly behind in active transport encryption (MTA-STS), DNS infrastructure security (DNSSEC), and strict automated enforcement (DMARC Reject) when compared to global peers.

The Global Leaderboard: 2026 Comparative Data

Country SPF Correct DMARC Reject MTA-STS DNSSEC
Philippines 95.2% 17.0% 0.6% 12.3%
Brazil 92.1% 20.7% 0.7% 21.9%
Ecuador 96.1% 24.9% 1.4% 4.8%
Australia 92.3% 46.7% 5.8% 6.8%
Poland 98.9% 21.2% 0.9% 15.7%
Netherlands 70.0% 23.2% 0.9% 37.7%
Italy 91.0% 16.7% 1.0% 3.5%
Japan 95.0% 9.2% 0.5% 16.4%

Philippines in the Global Spotlight: 2026 Analysis

1
The Foundational Disconnect

The Philippines demonstrates strong basic alignment with SPF accuracy at 95.2%, beating regional peers like Brazil (92.1%) and matching Japan (95.0%). However, its true enforcement rate (17.0% Reject) reveals a distinct execution gap compared to leaders like Australia (46.7%). Local organizations excel at listing valid servers, but hesitate to block unauthorized ones.

2
The Cryptographic Gap

Unlike Brazil, which outpaces many nations with 21.9% DNSSEC adoption, the Philippines sits lower at 12.3%. While ahead of countries like Italy (3.5%) and Ecuador (4.8%), it shows a clear need for broader implementation across regional registries to secure basic lookup integrity.

3
The Encryption Chasm

Mirroring global trends, MTA-STS adoption stands at a critical low of 0.6%. Similar to patterns seen in Japan (0.5%) and Brazil (0.7%), secure transport-layer pathing remains an unaddressed exposure across almost all sectors.

PowerDMARC Perspective

“The Philippines has established a highly commendable technical baseline for domain visibility through its strong nationwide SPF accuracy, yet the surrounding policy enforcement gap remains a significant vulnerability. Local organizations excel at initial setup and domain configuration but fall behind on active perimeter defense. The clear directive is to transition from passive observation to absolute enforcement by converting existing visibility configurations into hardened p=reject policies.”

Conclusion: From Metrics to Action

The 2026 data indicates that while the Philippines has built a strong foundational alignment, the defensive perimeter remains largely incomplete. To safeguard its digital future, organizations should focus on three primary upgrades:

Advance Past Monitoring

High SPF and baseline DMARC deployment mean little if spoofed mail continues to reach user inboxes. Transitioning domains from monitoring modes to a strict p=reject state via Hosted DMARC ensures unauthorized mail is blocked at the gateway.

Secure In-Transit Data

With 99.4% of the network exposed to transport tampering, deploying Hosted MTA-STS is vital to guarantee that business communications remain secure against interception.

Maintain Operational Flow

Eliminate lookup configuration errors that can disrupt legitimate corporate correspondence. Deploying Hosted SPF preserves delivery reliability as cloud environments grow more complex.

Research & Data Sources

PowerDMARC Methodology

DNS Record Analysis

Active DNS queries across domain samples from all 8 sectors, retrieving and validating SPF, DMARC, MTA-STS, and DNSSEC records per relevant RFC standards.

Sector Sampling

Domains identified from publicly available registries and sector listings in the Philippines across Financial (Banking), Healthcare, Government, Education, Energy, Media, Telecommunications, and Transport.

Global Benchmarking

All benchmark figures sourced from PowerDMARC’s published country reports for Brazil, Australia, Poland, the Netherlands, Italy, and Japan, using a consistent DNS-analysis methodology.

Risk Classification

Sector risk ratings derived from a composite of p=reject adoption, share of domains with no DMARC record, SPF misconfiguration, and poor MTA-STS adoption rate across analyzed domains in the Philippines.

Turn Visibility into Defense Today

The Philippines’ high technical adoption rates prove that the country’s IT administrators are among the most capable in the region; they simply need the mandate and the tools to flip the switch on enforcement.

Don’t allow your domain to remain a sophisticated system that watches a breach happen but is powerless to stop it. Secure your reputation and your data before the next major cross-border phishing campaign targets your industry.

Contact us at PowerDMARC to start your journey from monitoring to absolute enforcement.