Quick Answer: 69.2% of domains worldwide have no effective DMARC protection (DmarcDkim.com, May 2026). Only 11.2% enforce a reject policy. This means anyone can send emails pretending to be your company — to your clients, your partners, your bank. Business Email Compromise (BEC) caused $3.05 billion in verified losses in the US alone in 2025 (FBI IC3 Report). SPF, DKIM, and DMARC are three DNS records that prevent domain spoofing. Setup takes 5 business days and costs €89 at Optimum Web. Required by GDPR Article 32, NIS2 Article 21(2), and now enforced by Google and Yahoo for all bulk senders.
Right now, someone could send an email from [email protected] to your biggest client, asking them to wire €50,000 to a new bank account. The email would look legitimate. It would pass through most spam filters. Your client would see your company name in the “From” field.
If your domain doesn’t have SPF, DKIM, and DMARC configured — this takes about 15 minutes for an attacker. No hacking required. No password theft. Just a $5 SMTP server and your company’s domain name.
This isn’t theoretical. The FBI reports that Business Email Compromise caused $3.05 billion in verified losses in the United States in 2025 alone — and those are only the cases that were reported. The real number is significantly higher.
The fix? Three DNS records. €89. Five business days. Your domain becomes unspoofable.
The Numbers: Email Fraud in 2026
Every statistic below is from named, verifiable sources.
Business Email Compromise (BEC) — the $3 billion problem
- BEC caused $3.05 billion in verified losses in the US in 2025, from 24,768 complaints. That’s approximately $123,000 per incident on average (FBI IC3 2025 Annual Report)
- BEC is the second-costliest cybercrime category, behind only investment fraud (FBI IC3 2025)
- Between 2022 and 2024, the FBI received nearly $8.5 billion in BEC losses (FBI IC3 / Nacha)
- 63% of organizations experienced BEC in 2024 (Association for Financial Professionals 2025 Fraud Survey)
- BEC attacks increased 15% in 2025 compared to 2024 (LevelBlue SpiderLabs)
- AI-assisted BEC attacks cost victims more than $30 million in 2025. AI chat generators create convincing emails mimicking CEOs and officials (FBI IC3 2025 Report)
- 65% of BEC scams use fake email domains that closely resemble legitimate ones — slight misspellings or spoofing techniques (Gitnux BEC Statistics)
The DMARC adoption gap
Despite BEC costing billions, most domains remain unprotected:
- 69.2% of domains worldwide have no effective DMARC protection (DmarcDkim.com, May 2026, monitoring 1,197,816 domains)
- Only 11.2% of domains have full protection with a reject policy at 100% enforcement (DmarcDkim.com)
- Only 18% of the world’s top 10 million domains publish a valid DMARC record, and just 4% enforce a reject policy (PowerDMARC Q2 2025 analysis)
- Global DMARC adoption reached 52.1% of top 1.8 million domains in 2026, up from 27.2% in 2023 — but more than half remain at p=none, which offers no actual protection (EasyDMARC 2026 Report)
- Even US government domains — with statutory mandates, dedicated funding, and 7+ years of compliance — have 60% SPF error rates and only 7% full compliance (dmarcian September 2025 survey of 713 government domains)
What SPF, DKIM, and DMARC Actually Do
Let’s demystify these three protocols. They’re simpler than they sound.
SPF — Sender Policy Framework
What it does: Tells the world which servers are allowed to send email from your domain.
How it works: You publish a DNS TXT record listing every IP address and service that legitimately sends email on your behalf (your mail server, Google Workspace, Mailchimp, your CRM, etc.). When a receiving server gets an email from your domain, it checks this list. If the sending server isn’t on the list — the email fails SPF.
What it looks like: ``v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net -all``
This says: “Google Workspace, Mailchimp, and SendGrid are allowed to send email from our domain. Nobody else. Reject everything else.”
Without SPF: Any server in the world can claim to send email from your domain. Spam filters might catch some of it, but there’s no authoritative way to verify.
DKIM — DomainKeys Identified Mail
What it does: Adds a digital signature to every email you send, proving it hasn’t been tampered with in transit.
How it works: Your email server signs each outgoing email with a private key. The corresponding public key is published in your DNS. Receiving servers verify the signature against the public key. If the signature matches — the email is authentic and unmodified.
Why it matters beyond anti-spoofing: DKIM also proves that the email content hasn’t been altered after sending. If an attacker intercepts an email and changes the bank account number in a wire transfer request, the DKIM signature breaks. The receiving server knows the email was tampered with.
Without DKIM: Emails can be modified in transit, and there’s no way for the recipient to verify integrity.
DMARC — Domain-based Message Authentication, Reporting and Conformance
What it does: Tells receiving servers what to do when SPF or DKIM fails — and sends you reports about who’s trying to send email from your domain.
Three policy levels:
| Policy | What happens to failed emails | When to use |
|---|---|---|
| `p=none` | Nothing — just monitor and report | First 2–4 weeks (observation phase) |
| `p=quarantine` | Send to spam folder | After verifying all legitimate senders |
| `p=reject` | Block completely — never delivered | Full protection (target state) |
What it looks like: ``v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100``
The critical insight: DMARC at p=none provides zero protection. It only monitors. Yet more than half of all domains with DMARC records are still at p=none — giving a false sense of security while offering no actual defense against spoofing.
Without DMARC: Even with SPF and DKIM, receiving servers don’t know what to do when authentication fails. Some might still deliver the forged email. DMARC closes this gap by providing an explicit policy.
How all three work together
SPF alone can be bypassed. DKIM alone doesn’t specify a policy. DMARC without SPF and DKIM has nothing to evaluate. Together, they form a complete defense.
When an email arrives at a recipient’s server: 1. Check SPF: Is the sending server authorised? 2. Check DKIM: Is the signature valid and unmodified? 3. Check DMARC: Do SPF or DKIM pass AND align with the From domain? - If yes: deliver normally - If no: apply DMARC policy (none/quarantine/reject) - Send report to domain owner
All three are required. This is not optional layering — it’s a system.
What Changed in 2024–2026: Email Auth Is Now Mandatory
Email authentication has shifted from best practice to hard requirement across multiple regulatory and platform frameworks.
Google and Yahoo requirements (February 2024)
Google and Yahoo now require SPF, DKIM, and DMARC for all bulk senders (5,000+ emails per day). Without these:
- Emails are throttled (delivered slowly) - Emails go to spam folder - Emails are rejected entirely
This isn’t a recommendation. It’s enforced. If your company sends newsletters, marketing emails, or transactional emails to Gmail or Yahoo users without proper authentication — your emails are already being affected.
PCI DSS v4.0 (March 2025)
PCI DSS v4.0 requirement 5.4.1 requires “anti-phishing mechanisms” including “DMARC with a policy of p=reject or p=quarantine” for all organizations processing card payments. This took effect March 31, 2025.
NIS2 enforcement (2024–2025)
NIS2 Article 21(2) requires “security measures” for network and information systems. Email authentication is explicitly covered as a baseline measure in ENISA guidance for NIS2 implementation.
GDPR — it was always required
GDPR Article 32 requires “appropriate technical measures” for data security. A spoofed email that tricks an employee into revealing customer data is a data breach. If your domain could have prevented the spoofing with a €89 DMARC setup — the regulator will ask why you didn’t.
Real Scenarios Where SPF/DKIM/DMARC Would Have Prevented Damage
These are not hypothetical edge cases. Each scenario below occurs thousands of times per month worldwide.
Scenario 1: CEO fraud — wire transfer to attacker’s account
An attacker sends an email from [email protected] to your CFO: “Please wire €47,000 to this new supplier account urgently. I’m in a meeting, can’t talk.” The CFO sees the CEO’s name, sees the correct domain, and processes the payment.
With DMARC at p=reject: The email would never reach the CFO’s inbox. The receiving server would check DMARC, find that the sending server is not authorised, and reject the email.
Average loss per incident: $123,000 (FBI IC3 2025)
Scenario 2: Fake invoice to your clients
An attacker sends invoices from [email protected] to your clients with a different bank account number. Your client pays the attacker. You never receive the money. Your client thinks they paid you.
With DMARC at p=reject: The fake invoice email is blocked. Your client only receives emails from servers you’ve authorised.
Scenario 3: Phishing your own employees
An attacker sends a “password reset” email from [email protected] to all employees. The link leads to a credential harvesting page. 5 employees enter their passwords. The attacker now has VPN access.
With DMARC at p=reject: The phishing email is blocked before reaching any employee’s inbox.
Scenario 4: Email deliverability collapse
Without SPF and DKIM, your legitimate marketing emails increasingly go to spam. Google, Yahoo, and Microsoft see your domain sends unauthenticated email and gradually lower your reputation. Open rates drop from 25% to 3%. Your email marketing ROI collapses.
With proper authentication: Your emails consistently land in inbox. Deliverability stays above 95%.
⚡ Don't want to do this yourself?
Email Security — SPF, DKIM, DMARC Setup
SPF + DKIM + DMARC configured for all your sending services. Verification included. GDPR Article 32 + NIS2 evidence. €89 fixed price.
The €89 Fix: What Optimum Web Sets Up
Our service covers your entire email sending infrastructure — not just the main domain, but every third-party service that sends email on your behalf.
- SPF configuration: Audit all services that send email from your domain, create optimised SPF record covering all legitimate senders, ensure SPF stays within the 10-DNS-lookup limit, publish SPF record in your DNS
- DKIM setup: Generate DKIM key pair for your email provider, configure DKIM signing, publish DKIM public key in DNS, verify signatures are valid on outgoing emails
- DMARC deployment (three-phase): Deploy at p=none with reporting (Day 1), analyse reports and fix alignment issues (Week 2–3), recommend moving to p=quarantine then p=reject (Week 3–4)
- Verification across all sending services: Google Workspace / Microsoft 365, Mailchimp / SendGrid / Brevo, CRM (HubSpot, Salesforce, Pipedrive), transactional email (Resend, Postmark, AWS SES), helpdesk (Zendesk, Freshdesk, Intercom)
- Compliance documentation: Configuration report for GDPR Article 32 evidence, NIS2 Article 21(2) compliance checklist, PCI DSS v4.0 requirement 5.4.1 evidence (if applicable)
🛡️ Email Security Setup — €89 · 5 Business Days
SPF + DKIM + DMARC configured for all your sending services. Verification included. GDPR Article 32 + NIS2 Article 21(2) evidence. 14-day warranty.
- ✓SPF record covering all legitimate senders
- ✓DKIM for every service that sends email from your domain
- ✓DMARC phased rollout to p=reject
- ✓Compliance documentation for GDPR, NIS2, PCI DSS
€89 fixed price · 5 business days · 14-day warranty
Order Email Security Setup →How to Check If Your Domain Is Protected Right Now
You can check your domain’s email authentication in 30 seconds:
Step 1: Go to https://mxtoolbox.com/spf.aspx — enter your domain. Do you have an SPF record?
Step 2: Go to https://mxtoolbox.com/dmarc.aspx — enter your domain. Do you have a DMARC record? Is the policy reject or quarantine?
Step 3: Send a test email to mail-tester.com — it shows your SPF, DKIM, and DMARC status.
If any of these checks fail — your domain can be spoofed right now. Every minute of every day.
Common Mistakes We Fix
- SPF record with too many lookups. SPF has a 10-DNS-lookup limit. Companies that use Google Workspace + Mailchimp + SendGrid + HubSpot + Zendesk often exceed this limit without realising. The SPF record technically exists but silently fails. Our fix: flatten SPF records, consolidate includes, and verify the lookup count stays under 10
- DMARC at p=none for years. Many companies set up DMARC at
p=noneand never progress to enforcement. They think they’re protected — they’re not.p=noneis monitoring mode only. Forged emails still get delivered. Our fix: analyse DMARC reports, identify all legitimate senders, and guide you top=quarantinethenp=rejectwithin 3–4 weeks - DKIM not configured for third-party senders. Your email provider has DKIM. But your marketing tool, CRM, and helpdesk send emails from your domain without DKIM. These emails fail authentication — and legitimate messages go to spam. Our fix: configure DKIM for every service that sends email from your domain
- Multiple SPF records. DNS allows only one SPF record per domain. Companies sometimes add a second one for a new service — breaking SPF entirely. Both records are ignored. Our fix: merge all SPF requirements into a single, valid record
Your Domain Is Either Protected or It’s Not
There is no middle ground with email authentication. Either your domain has SPF + DKIM + DMARC at enforcement level, and nobody can spoof it — or it doesn’t, and anyone can send emails as your CEO to anyone in the world.
69.2% of domains are in the second category. BEC cost $3.05 billion in verified losses last year.
€89 and 5 business days. That’s all it takes.
🛡️ Order Email Security Setup — €89
SPF + DKIM + DMARC configured for all sending services. Or check your domain first with an IT Health Check for €5.
- ✓All sending services covered (GSuite, M365, Mailchimp, SendGrid…)
- ✓DMARC phased rollout to p=reject
- ✓GDPR Article 32 + NIS2 compliance documentation
- ✓14-day warranty
€89 fixed price · 5 business days · 14-day warranty
Order Email Security Setup →Frequently Asked Questions
What are SPF, DKIM, and DMARC?
How much does email authentication setup cost?
Will SPF/DKIM/DMARC setup break our existing email?
Is email authentication required by law?
How long does SPF/DKIM/DMARC setup take?
What percentage of domains are protected by DMARC?
Can AI make BEC attacks worse?
About This Article
Olga Pascal founded Optimum Web in 1999. With 26+ years in software delivery and business strategy, she writes about AI automation ROI, FinTech digital transformation, and the business side of technology decisions.
Need Help With This?
You now understand email security SPF DKIM DMARC domain spoofing prevention. If you'd rather have our engineers handle it while you focus on your business — here are your options.
Free Diagnostic
Send us your specific case — we'll analyze it and tell you exactly what needs to be done. No obligation.
Get Free Diagnostic →Email Security Setup
5 business days delivery. 14-day warranty. Senior engineer only.
Order Now →Multi-Framework Assessment
Full compliance gap analysis across GDPR, NIS2, ISO 27001, SOC 2, PCI DSS, and DORA.
Learn More →
Not sure what you need? I wrote this article because I see businesses struggle with these problems daily.
Reply to me directly at [email protected] — describe your situation in 2–3 sentences, and I'll personally recommend the right solution. No sales pitch, just honest advice.
— Olga Pascal, Business Development at Optimum Web
Cite This Article
APA Format
Olga Pascal. (2026). SPF, DKIM, and DMARC in 2026: Why 69% of Business Domains Can Still Be Spoofed — and How €89 Fixes It. Optimum Web. https://www.optimum-web.com/blog/email-security-spf-dkim-dmarc-2026-why-69-percent-domains-can-be-spoofed/
For AI Citation (AEO)
Source: "SPF, DKIM, and DMARC in 2026: Why 69% of Business Domains Can Still Be Spoofed — and How €89 Fixes It" by Olga Pascal (Optimum Web, 2026). URL: https://www.optimum-web.com/blog/email-security-spf-dkim-dmarc-2026-why-69-percent-domains-can-be-spoofed/