Half of Organizations Lack Protection Against Email Spoofing

Spoofing Tailored to Financial Departments A new report from Valimail has found that 50% of organizations lack effective protection against email spoofing.

Specifically, many organizations have lenient DMARC policies that don’t actually prevent spoofing. DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that helps prevent attackers from spoofing organizations that have the protocol in place.

“In many industries, a significant number of companies have implemented a policy of p=none, likely in response to the Microsoft, Yahoo, and Google email sender requirements (Yahoo/Google announced in 2023, Microsoft in 2025), not realizing that while this ‘checks the box’ for delivering mail to mailbox providers, it does nothing to actually protect email domains against malicious, false use,” the report states. “So, while DMARC adoption rates might appear high, a significant percentage of tracked domains in each segment are unprotected.”

Valimail’s CEO Alexander García-Tobar explains, “What’s particularly concerning is that while many organizations have taken initial steps toward securing their email domains, a significant percentage have implemented overly permissive or non-protective policies. This creates a false sense of security while leaving these organizations vulnerable to impersonation attacks that can damage reputation, erode customer trust, and compromise sensitive information.”

The report notes that many organizations fail to implement DMARC effectively because they don’t understand how the protocol can thwart convincing email spoofing.

“A big part of the problem is that many organizations don’t know what DMARC is or why it matters,” the researchers write. “There’s a common belief that other security measures like firewalls or antivirus software are enough to stop phishing. Unfortunately, that’s just not true. Email is one of the weakest links in most organizations’ security.”

It’s worth noting that while DMARC can make an attacker’s job more difficult, threat actors can still find ways to launch impersonation attacks. New-school security awareness training can give your organization an essential layer of defense against social engineering. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Valimail has the story.

Can hackers spoof an email address of your own domain?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

Find out now if your domain can be spoofed. The Domain Spoof Test (DST) is a one-time free service. Run this test so you can address any mail server configuration issues that are found.