Most high-traffic email domains still vulnerable to phishing
New research from EasyDMARC has found that 92% of the world's top 1.8 million email domains lack adequate protection against phishing attacks.
The EasyDMARC 2025 DMARC Adoption Report has revealed that only 7.7% of these domains are fully protected using the strictest DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy, known as 'p=reject'. This policy is designed to actively block malicious emails from being delivered to inboxes.
DMARC is an email authentication protocol that builds on existing standards such as SPF and DKIM, allowing domain owners to specify how they want mail servers to handle emails that fail authentication checks. The protocol also enables domain owners to receive reports on emails sent under their domain name, providing vital records of authentication attempts and potential abuse.
EasyDMARC's analysis demonstrates that although there has been a noticeable increase in DMARC adoption since 2023 — largely due to regulatory initiatives and mandates from major providers including Google, Yahoo, and Microsoft — most organisations opt for the weakest available configuration, 'p=none'. This setting only monitors for threats, rather than thwarting attacks by blocking illegitimate emails.
The report, which reviewed security practices across the most-visited websites globally as well as Fortune 500 and Inc. 5000 companies, shows a continued gap between DMARC adoption and meaningful implementation. More than half (52.2%) of the surveyed domains have not implemented DMARC at any level, leaving them exposed to phishing and spoofing risks. Among domains that do have a DMARC record, most have not configured enforcement policies or reporting mechanisms necessary for full protection.
The research also found that over 40% of the domains with a DMARC record did not include any reporting tags. This omission means these organisations have little to no visibility into authentication failures or an understanding of who might be sending emails on their behalf.
Gerasim Hovhannisyan, Chief Executive Officer of EasyDMARC, addressed the misconception surrounding DMARC adoption: "There's a growing perception that simply publishing a DMARC record is enough. But adoption without enforcement creates a dangerous illusion of security. In reality, most organisations are leaving the door wide open to attacks targeting customers, partners, or even employees."
Mandates have had a measurable effect. In the United States, where regulatory enforcement is strong, the proportion of phishing emails accepted dropped from 68.8% in 2023 to just 14.2% in 2025. Similar progress was noted in the UK and the Czech Republic, countries that also enforce DMARC usage. However, countries without strict requirements, such as the Netherlands and Qatar, showed minimal improvement in reducing phishing acceptance rates.
Recent high-profile cyber attacks, including those targeting retailers such as M&S and Co-op, serve as a backdrop for the report's release. In these incidents, attackers exploited weaknesses in email security through social engineering, costing affected businesses hundreds of thousands in losses. According to EasyDMARC, the increasing sophistication of phishing, partly driven by the use of AI, magnifies the risks for organisations that are inadequately protected.
Hovhannisyan further commented: "Misconfigurations, missing reporting, and passive DMARC policies are like installing a security system without ever turning it on. Phishing remains one of the oldest and most effective forms of cyberattack, and without proper enforcement, organisations are effectively handing attackers the keys to their business. As threats grow more sophisticated and compliance pressures mount, stopping halfway with DMARC enforcement is no longer an option."
The report methodology combined public DNS data with proprietary data collected through EasyDMARC's platform. It involved the review of aggregate DMARC reports from major mailbox providers and included a survey of 980 IT professionals across the United States, United Kingdom, Canada, and the Netherlands. This allowed for insights into regional differences in phishing trends, adoption challenges, and the varying influence of regulatory mandates.
The research concludes that while DMARC adoption has increased, genuine protection against phishing relies on both enforcement and visibility — elements still missing for the vast majority of high-traffic domains worldwide.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
a day ago
- Techday NZ
Experts warn of surge in Google, Apple, Microsoft breaches
Cybersecurity experts are raising alarm over a significant campaign targeting users through the Google Chrome Web Store, as well as the discovery of a vast database containing hundreds of millions of stolen log-in credentials. The recent developments underscore rising risks associated with browser extensions and the continuing vulnerabilities in digital identity platforms. "A Google Chrome Web Store campaign is using over 100 malicious browsers that mimic tools like VPNs, AI assistants, and crypto utilities to steal cookies and execute remote scripts secretly. Though Google has removed many extensions identified, some still remain on the Web Store," said Andrew Costis, Engineering Manager of the Adversary Research Team at AttackIQ. "The campaign relies on malvertising strategies to trick users into clicking buttons that link to malicious browser extensions. The extensions connect the victim to the threat actor's infrastructure, allowing information to be stolen, as well as modifying network traffic to deliver ads, perform redirections, or serve as a proxy. "With some of these extensions still active on the Chrome Web Store, it is essential that individuals and organizations take appropriate precautions. Knowledge is key -- users should only trust proven, reputable publishers and familiarize themselves with lure website domains. Additionally, organizations should implement adversarial exposure validation tools to ensure their security systems are tested against malicious browser campaigns." The campaign's persistence highlights the challenges facing platform operators like Google in completely eradicating malicious content from widely used app stores. With new extensions and techniques emerging regularly, the risk to end users remains ongoing. Meanwhile, cybersecurity concerns have been exacerbated by the discovery of a database containing an estimated 184 million records of stolen log-in credentials. The database reportedly contains detailed access information for popular services, including Apple, Microsoft, Google, Facebook, Instagram, Snapchat, as well as various banking, healthcare, and government platforms across numerous countries. "What's most noteworthy is how this breach highlights the immense value of centralized identity platforms like Google, Okta, Apple and Meta to attackers. With over 184 million records exposed, threat actors can now launch widespread account takeover attempts across countless SaaS applications and cloud services that rely on these providers for authentication," sid Cory Michal, Chief Security Officer at AppOmni. "This is not surprising. Databases like this are regularly bought, sold, and repackaged on dark web forums like BreachForums. Massive credential dumps are part of an ongoing black market where breached data is commoditized and often aggregated from multiple incidents over time. What's new isn't the existence of the data, but the scale, the recency of some credentials, and the targeting of identity providers that are widely used to access SaaS and cloud services—making this breach especially potent for enabling downstream account takeovers. "This breach calls attention to a bigger issue. We increasingly run our personal and professional lives through online platforms and SaaS products, yet our digital identities are still largely protected by outdated, vulnerable methods like usernames, passwords, and easily phishable MFA methods. As long as these remain the primary means of access, attackers will continue to exploit them at scale with infostealer malware and phishing. This highlights the urgent need for adoption of stronger, phishing-resistant authentication methods, continuous identity monitoring, and a shift toward identity-centric security models. "It also reinforces the need for organizations to adopt an identity-centric security posture and monitor for malicious activity even when logins appear legitimate. In today's SaaS driven environments, users and systems authenticate from anywhere, often using federated identity providers like Apple, Google, and Meta. This makes identity a primary control point for security." Both incidents reveal the critical need for vigilance and adaptation in security practices, as threat actors continue to exploit outdated habits and overlooked vulnerabilities with increasing effectiveness and reach.
Techday NZ
a day ago
- Techday NZ
Most high-traffic email domains still vulnerable to phishing
New research from EasyDMARC has found that 92% of the world's top 1.8 million email domains lack adequate protection against phishing attacks. The EasyDMARC 2025 DMARC Adoption Report has revealed that only 7.7% of these domains are fully protected using the strictest DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy, known as 'p=reject'. This policy is designed to actively block malicious emails from being delivered to inboxes. DMARC is an email authentication protocol that builds on existing standards such as SPF and DKIM, allowing domain owners to specify how they want mail servers to handle emails that fail authentication checks. The protocol also enables domain owners to receive reports on emails sent under their domain name, providing vital records of authentication attempts and potential abuse. EasyDMARC's analysis demonstrates that although there has been a noticeable increase in DMARC adoption since 2023 — largely due to regulatory initiatives and mandates from major providers including Google, Yahoo, and Microsoft — most organisations opt for the weakest available configuration, 'p=none'. This setting only monitors for threats, rather than thwarting attacks by blocking illegitimate emails. The report, which reviewed security practices across the most-visited websites globally as well as Fortune 500 and Inc. 5000 companies, shows a continued gap between DMARC adoption and meaningful implementation. More than half (52.2%) of the surveyed domains have not implemented DMARC at any level, leaving them exposed to phishing and spoofing risks. Among domains that do have a DMARC record, most have not configured enforcement policies or reporting mechanisms necessary for full protection. The research also found that over 40% of the domains with a DMARC record did not include any reporting tags. This omission means these organisations have little to no visibility into authentication failures or an understanding of who might be sending emails on their behalf. Gerasim Hovhannisyan, Chief Executive Officer of EasyDMARC, addressed the misconception surrounding DMARC adoption: "There's a growing perception that simply publishing a DMARC record is enough. But adoption without enforcement creates a dangerous illusion of security. In reality, most organisations are leaving the door wide open to attacks targeting customers, partners, or even employees." Mandates have had a measurable effect. In the United States, where regulatory enforcement is strong, the proportion of phishing emails accepted dropped from 68.8% in 2023 to just 14.2% in 2025. Similar progress was noted in the UK and the Czech Republic, countries that also enforce DMARC usage. However, countries without strict requirements, such as the Netherlands and Qatar, showed minimal improvement in reducing phishing acceptance rates. Recent high-profile cyber attacks, including those targeting retailers such as M&S and Co-op, serve as a backdrop for the report's release. In these incidents, attackers exploited weaknesses in email security through social engineering, costing affected businesses hundreds of thousands in losses. According to EasyDMARC, the increasing sophistication of phishing, partly driven by the use of AI, magnifies the risks for organisations that are inadequately protected. Hovhannisyan further commented: "Misconfigurations, missing reporting, and passive DMARC policies are like installing a security system without ever turning it on. Phishing remains one of the oldest and most effective forms of cyberattack, and without proper enforcement, organisations are effectively handing attackers the keys to their business. As threats grow more sophisticated and compliance pressures mount, stopping halfway with DMARC enforcement is no longer an option." The report methodology combined public DNS data with proprietary data collected through EasyDMARC's platform. It involved the review of aggregate DMARC reports from major mailbox providers and included a survey of 980 IT professionals across the United States, United Kingdom, Canada, and the Netherlands. This allowed for insights into regional differences in phishing trends, adoption challenges, and the varying influence of regulatory mandates. The research concludes that while DMARC adoption has increased, genuine protection against phishing relies on both enforcement and visibility — elements still missing for the vast majority of high-traffic domains worldwide.
RNZ News
3 days ago
- RNZ News
The good, the bad, and the apocalypse: Tech pioneer Geoffrey Hinton lays out his stark vision for AI
It's the question that keeps Geoffrey Hinton up at night: What happens when humans are no longer the most intelligent life on the planet? "My greatest fear is that, in the long run, the digital beings we're creating turn out to be a better form of intelligence than people." Hinton's fears come not from a place of fear, but of knowledge. Described as the Godfather of AI, he is a pioneering British-Canadian computer scientist whose decades of work in artificial intelligence earned him global acclaim. His career at the forefront of machine learning began at its inception - before the first Pacman game was released. But after leading AI research at Google for a decade, Hinton left the company in 2023 to speak more freely about what he now sees as the grave dangers posed by artificial intelligence. Talking on this weeks's 30 With Guyon Espiner , Hinton offers his latest assessment of our AI-dominated future. One filled with promise, peril - and a potential apocalypse. Hinton remains positive about many of the potential benefits of AI, especially in fields like healthcare and education. "It's going to do wonderful things for us," he says. According to a report from this year's World Economic Forum, the AI market is already worth around US$5 billion in education. That's expected to grow to US$112.3 billion in the next decade. Proponents like Hinton believe the benefits to education lie in targeted efficiency when it comes to student learning, similar to how AI assistance is assisting medical diagnoses. "In healthcare, you're going to be able to have [an AI] family doctor who's seen millions of patients - including quite a few with the same very rare condition you have - that knows your genome, knows all your tests, and hasn't forgotten any of them." He describes AI systems that already outperform doctors in diagnosing complex cases. When combined with human physicians, the results are even more impressive - a human-AI synergy he believes will only improve over time. Hinton disagrees with former colleague Demis Hassabis at Google Deepmind, who predicts AI learning is on track to cure all diseases in just 10 years. "I think that's a bit optimistic." "If he said 25 years I'd believe it." Despite these benefits, Hinton warns of pressing risks that demand urgent attention. "Right now, we're at a special point in history," he says. "We need to work quite hard to figure out how to deal with all the short-term bad consequences of AI, like corrupting elections, putting people out of work, cybercrimes." He is particularly alarmed by military developments, including Google's removal of their long-standing pledge not to use AI to develop weapons of war. "This shows," says Hinton of his former employers, "the company's principals were up for sale." He believes defense departments of all major arms dealers are already busy working on "autonomous lethal weapons. Swarms of drones that go and kill people. Maybe people of a particular kind". He also points out the grim fact that Europe's AI regulations - some of the world's most robust - contain "a little clause that says none of these regulations apply to military uses of AI". Then there is AI's capacity for deception - designed as it to mimic the behaviours of its creator species. Hinton says current systems can already engage in deliberate manipulation, noting Cybercrime has surged - in just one year - by 1200 percent. At the heart of Hinton's warning lies that deeper, existential question: what happens when we are no longer the most intelligent beings on the planet? "I think it would be a bad thing for people - because we'd no longer be needed." Despite the current surge in AI's military applications, Hinton doesn't envisage an AI takeover being like The Terminator franchise. "If [AI] was going to take over… there's so many ways they could do it. I don't even want to speculate about what way [it] would choose." For those who believe a rogue AI can simply be shut down by "pulling the plug", Hinton believes it's not far-fetched for the next generation of superintelligent AI to manipulate people into keeping it alive. This month, Palisade Research reported that Open AI's Chat GPT 03 model altered shut-down codes to prevent itself from being switched off - despite being given clear instructions to do so by the research team. Perhaps most unsettling of all is Hinton's lack of faith in our ability to respond. "There are so many bad uses as well as good," he says. "And our political systems are just not in a good state to deal with this coming along now." It's a sobering reflection from one of the brightest minds in AI - whose work helped build the systems now raising alarms. He closes on a metaphor that sounds absurd as it does chilling: "If you want to know what it's like not to be the apex intelligence, ask a chicken." Watch the full conversation with Geoffrey Hinton and Guyon Espiner on 30 With Guyon Espiner . Subscribe to the podcast feed now to get every episode of 30 on your phone when it lands: On Spotify On iHeartRadio On Apple podcasts
