Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

Half of Organizations Lack Protection Against Email Spoofing

Stu Sjouwerman | Apr 24, 2025

Spoofing Tailored to Financial DepartmentsA new report from Valimail has found that 50% of organizations lack effective protection against email spoofing.

Specifically, many organizations have lenient DMARC policies that don’t actually prevent spoofing. DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that helps prevent attackers from spoofing organizations that have the protocol in place. 

“In many industries, a significant number of companies have implemented a policy of p=none, likely in response to the Microsoft, Yahoo, and Google email sender requirements (Yahoo/Google announced in 2023, Microsoft in 2025), not realizing that while this ‘checks the box’ for delivering mail to mailbox providers, it does nothing to actually protect email domains against malicious, false use,” the report states. “So, while DMARC adoption rates might appear high, a significant percentage of tracked domains in each segment are unprotected.”

Valimail’s CEO Alexander García-Tobar explains, “What’s particularly concerning is that while many organizations have taken initial steps toward securing their email domains, a significant percentage have implemented overly permissive or non-protective policies. This creates a false sense of security while leaving these organizations vulnerable to impersonation attacks that can damage reputation, erode customer trust, and compromise sensitive information.”

The report notes that many organizations fail to implement DMARC effectively because they don’t understand how the protocol can thwart convincing email spoofing.

“A big part of the problem is that many organizations don’t know what DMARC is or why it matters,” the researchers write. “There’s a common belief that other security measures like firewalls or antivirus software are enough to stop phishing. Unfortunately, that’s just not true. Email is one of the weakest links in most organizations’ security.”

It’s worth noting that while DMARC can make an attacker’s job more difficult, threat actors can still find ways to launch impersonation attacks. New-school security awareness training can give your organization an essential layer of defense against social engineering. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Valimail has the story.

Topics: Social Engineering Phishing Security Culture

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

Stu Sjouwerman

ABOUT STU SJOUWERMAN

Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

Read more from Stu »

Subscribe the KnowBe4 Blog

Version_2F_225x600

Posts By Topic

View all topics >