In the early days of phishing, the signs were easier to spot: typos, odd phrasing, and clunky formatting that made emails feel off. But times have changed. AI has lowered the barrier to entry for cybercriminals, making it easy to craft emails with flawless grammar and tone.
It’s also allowed attackers to get smarter, using social engineering tactics that mimic the language and behavior of real people, tricking even the most vigilant recipients. Just last month, M&S reportedly fell victim to a social engineering scam so convincing it could wipe out up to £300 million of its operating profit this year.
Against this backdrop, EasyDMARC recently analyzed 1.8 million of the world’s leading email domains. Alarmingly, we found that only 7.7% have the highest level of phishing protection in place. On top of that, more than half haven’t even taken the first step in deploying the most basic level of email security.
That means the vast majority of organizations are still leaving the door wide open to impersonation attacks at a time when phishing is harder than ever to spot.
CEO of EasyDMARC.
Why email is the weakest link
I’ve lost count of how many times I’ve heard companies say, “we’ve done the training, so we’re covered.” But the truth is that training your staff to spot malicious emails won’t stop phishing. Not when the email looks like it came from your own domain, signed off by your CEO, and sent at just the right time.
Email is still the backbone of business communication. It’s the channel through which sensitive information flows and core processes are initiated and approved. Its ubiquity, and the trust placed in it, makes it an ideal target for attackers.
The problem is that email was never designed with built-in identity verification.
What DMARC actually does
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an authentication protocol designed to stop attackers from sending emails that appear to come from your domain. It works by verifying whether the sender is authorized, using underlying standards like SPF and DKIM, and then tells receiving email servers how to handle messages that fail those checks.
A helpful way to think about DMARC is like border control for your organization's email. SPF and DKIM check the credentials; DMARC is the policy that decides what happens next. Do you let the message through, detain it for inspection, or turn it away entirely?
The DMARC enforcement gap
The problem is that most organizations treat DMARC as something that only needs to be set up, not maintained. They configure it once, leave it on the weakest policy setting, ‘p=none’, which simply logs suspicious activity without taking action, and assume that’s enough. But without proper enforcement, DMARC doesn’t stop phishing; it simply watches it happen.
Our latest research shows just how common this enforcement gap really is. Out of the world’s top 1.8 million domains, only 7.7% have set their DMARC policy to ‘p=reject’, the strongest level of enforcement that actively blocks unauthorized emails from being delivered.
We’ve seen the difference enforcement makes. In countries like the United States, where regulation and provider policies have pushed for stronger DMARC enforcement, the impact has been dramatic. Phishing email acceptance dropped from 68.8% in 2023 to just 14.2% in 2025.
Until more organizations take that final step to enforce DMARC properly, email will remain one of the easiest attack vectors for cybercriminals.
The landscape is shifting
Recent moves by major email providers like Google, Yahoo, and Microsoft to enforce DMARC, SPF, and DKIM protocols for bulk senders mark a pivotal moment in email security. Importantly, these changes are not the result of government mandates or new legislation; they’re being driven entirely by the email providers themselves.
That level of unilateral enforcement reflects a high degree of confidence in these protocols, particularly DMARC, as the best form of defense against phishing.
But while email providers are embedding authentication into the heart of communication, many organizations are lagging behind. For most, the response has been compliance-driven; focused on avoiding deliverability issues rather than strengthening overall security posture.
As the threat landscape evolves, the disconnect between regulatory inaction, provider-led standards, and enterprise readiness is becoming more pronounced.
Closing the gap: from compliance to commitment
In May , attackers impersonating HMRC stole £47 million. Attackers didn’t bypass complex zero-day defenses. They simply walked through the front door by spoofing trusted domains.
Enforcement is what turns visibility into action. As email providers lead the charge, it’s time for businesses to catch up, not out of obligation, but out of self-preservation. Because in a world where cybercriminals are better resourced than ever, doing the bare minimum is no longer good enough.
We've featured the best online cybersecurity course.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.