SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers
India

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Realistic office workspace computer screen suspicious email phishing threats
#
Data Protection
#
Phishing
#
Email Security

Over half of global companies leave email systems exposed to phishing

Wed, 9th Jul 2025
Author image
By Shannon Williams, Journalist

Fewer than half of the world's leading public companies have fully enforced protections against email-based phishing attacks, according to new research by EasyDMARC.

The analysis reviewed nearly 7,000 email domains belonging to the largest publicly listed companies globally and found that although 80% have adopted the DMARC authentication protocol, only 42% have implemented the strictest enforcement setting, leaving the majority vulnerable to cyberattacks.

DMARC adoption and policy enforcement

EasyDMARC's study revealed that 5,564 out of 6,987 analysed domains have implemented some form of DMARC. The DMARC protocol, increasingly mandated by providers like Google and Yahoo, is designed to combat email spoofing and phishing by authenticating sender domains.

Despite widespread adoption, the level of enforcement varies. Only 2,340 domains (42%) use the 'p=reject' policy, which actively blocks emails identified as fraudulent. One in four (26%) have set their DMARC policy to 'p=quarantine', diverting suspicious emails to spam folders. Notably, a third (32%) operate only in 'p=none' mode, which monitors incoming email traffic but does not intercept potentially harmful messages.

The findings indicate that 58% of major companies remain susceptible to email-based attacks, as failing to implement the 'p=reject' or even 'p=quarantine' settings allows unauthorised emails to reach intended recipients.

The broader threat landscape

Cybercrime remains on an upward trajectory. According to industry estimates cited by EasyDMARC, global cybercrime losses are projected to reach USD $10.5 trillion in 2025. Business email compromise attacks reportedly cost businesses nearly USD $3 billion in 2023, with an average loss per incident of approximately USD $137,000, as reported by the FBI's Internet Crime Complaint Center (IC3).

Large enterprises remain favoured targets for cybercriminals. Recent data breaches have compromised millions of customer records, inflicting significant financial losses and harming reputations. Email remains a common entry point, as attackers increasingly use sophisticated phishing techniques to bypass incomplete or passive security measures.

Regulatory environment and industry responses

Email security policies are under heightened scrutiny as major providers move to enforce stricter requirements for bulk senders. Google, Yahoo and Microsoft have all adopted tougher DMARC requirements, with enforcement actions already demonstrating tangible results. Reports indicate a 65% reduction in the volume of unauthorised emails following the implementation of these tighter controls by Google and Yahoo.

Regulators and industry groups caution that companies lacking robust DMARC enforcement face increased risks, including regulatory fines and erosion of stakeholder confidence, particularly as phishing tactics adopt artificial intelligence and other advanced tools to increase their success rates.

"Many organizations have taken initial steps to protect their email domains, but by stopping short of full enforcement, they remain in a state of passive monitoring - detecting suspicious activities but failing to prevent them. This gap is particularly concerning for the world's largest publicly listed companies, where the stakes are higher and the potential damage from phishing attacks is far greater. The growing complexity of cyber threats means businesses can no longer afford to take a reactive approach to email security. Organizations must go beyond monitoring and take decisive action to block phishing attempts before they reach inboxes."

The research comes at a time of heightened concern across public and private sectors following a recent phishing incident at HM Revenue and Customs, in which GBP £47 million of public funds was lost. The event has prompted renewed calls for comprehensive adoption of best practices across both government and industry.

Survey methodology

The study, conducted in February 2025, assessed the status of DMARC implementation among 6,987 of the world's largest public company domains. Of these, 5,564 had DMARC records in place. However, only 2,340 domains enforced the p=reject policy, while 1,422 set p=quarantine, and 1,802 remained at p=none.

Email security remains a critical area for ongoing investment as companies evaluate and strengthen their responses to a rapidly evolving digital threat environment.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Gigamon unveils quantum-safe cryptography in GigaVUE update
Barracuda unveils AI assistant to boost security team efficiency
Fortinet reports strong Q3 revenue growth & SASE adoption surge
Apptio unveils FinOps tools to tackle soaring AI cloud costs
Seven critical ChatGPT flaws expose users to data theft risks

Top stories

Hexaware boosts cybersecurity with strategic CyberSolve acquisition
Business Software Alliance: AI could add USD $500 billion to India
Avanade unveils suite of Microsoft-powered tools for midmarket firms
Forrester predicts AI errors to cost B2B firms over USD $10 billion
Ping Identity launches platform to secure & manage AI agents