77% of advanced email attacks failed SPF, DKIM, or DMARC authentication yet still reached inboxes.

79% of breached healthcare organizations have ineffective DMARC protection. This is up dramatically from 65% in 2024.

In the US, the percentage of phishing emails accepted dropped from 68.8% in 2023 to just 14.2% in 2025 following strict DMARC mandates.

92% of the world's top email domains are reported to remain unprotected against phishing and spoofing.

Among domains with DMARC records, over 40% fail to include reporting mechanisms like RUA tags.

Only 7.7% of the world’s top 1.8 million email domains are fully protected against phishing and spoofing by having implemented the most stringent DMARC policy, 'p=reject'1.

More than half (52.2%) of the domains analysed in the report still lack even a basic DMARC record.

47% of email domains do not have Domain-based Message Authentication, Reporting and Conformance (DMARC) configured to protect against unauthorized use, including spoofing and impersonation attacks.

Providers outperform consumers in four of six security standards – including DMARC, SPF, DKIM, and DNSSEC.

37.2% of healthcare Microsoft 365 users had DMARC in ‘monitor-only’ mode.

Only 2% of organizations implemented DMARC, SPF, and STARTTLS together for their email security.

Only 2% of organizations implemented DMARC, SPF, and STARTTLS together for their email security.

Email security adoption showed strong progress, with 89% of organizations implementing DMARC (Domain-based Message Authentication, Reporting & Conformance).

Email security adoption showed strong progress, with 7% of organizations implementing both DMARC and SPF (Sender Policy Framework).