By Josh Neame, CTO, BlueFort Security
We need to talk about email. The most trusted, yet most abused communication channel in business. Despite decades of security investment, email is rarely secured to its full potential and remains a primary vector for fraud and business email compromise (BEC) attacks. It’s still the easiest way to impersonate a brand, defraud a business, or bypass perimeter controls, and while many organisations get close to real protection, they stop just short of full policy enforcement. As with all dangerous platforms, it’s wise to consider the familiar warning: mind the gap.
Our Love/Hate Relationship with Email
Email is not something new, of course. As I pointed out in a recent blog looking at the limitations of traditional secure email gateways (SEGs), the first email was sent in 1971, and email volume has continued to grow ever since. The Radicati Group is a respected authority on email and messaging data and publishes an annual executive summary that includes global email traffic figures. According to the Group’s 2024-2028 Email Statistics Report, an estimated 376.4 billion emails were sent and received each day worldwide in 2025. This is expected to exceed 424 billion by 2028, where the number of worldwide users will grow to more than 4.9 billion – well over half of the world’s population.
Like any useful technology, email is a double-edged sword. On the blunt and ineffective end, there’s ‘graymail’ – non-malicious bulk email that comes in the form of promotions, newsletters, and marketing material. The kind of emails that make you rue the day you bought your colleague that custom air freshener for Secret Santa seven years ago. Bulk email like this doesn’t quite fit the description of spam, because while you now regret inadvertently ticking the ‘I would love to receive your updates’ box all those years ago, the emails are not technically unsolicited.
The more serious side of the blade is email spoofing – the weaponisation of email to conduct phishing and impersonation attacks, which represent a real problem for businesses. When an organisation’s email authentication policies are ineffective, email spoofing is relatively easy to conduct and very dangerous. Spoofed emails appear to come from a legitimate internal or trusted external sender. The spoofed organisation’s domain is visible in the ‘from’ address, and the email is often presented as a supplier or senior individual from within the organisation asking for information, invoice payments, or for the recipient to click a compromised link. Spoofed emails are the key tactic in phishing and BEC attacks.
The rise of GenAI has made the problem of weak authentication far worse through the growth in sophisticated, AI-powered email threats and threat actors relying on tools such as FraudGPT and other LLMs to generate more convincing malicious email campaigns. In its recent Cyberthreat Report 2025: Email security & DMARC in the age of AI, Sendmarc found that phishing attacks increased by 91.5% between April 2023 and April 2024, and BEC incidents rose by nearly 124% in European enterprises. In the UK, the same report found that in 2024 phishing was named as the initial entry point by 85% of businesses.
Spoofing is also becoming increasingly complex. Microsoft recently published a blog outlining how it has seen an increase in phishing actors exploiting complex routing scenarios, misconfigured spoof protections, and a lack of email authentication policies to deliver more effective spoofing emails.
How Email Authentication Works in Practice
Email authentication, when implemented correctly, works a bit like wrapping an email in a virtual envelope, complete with a ‘to’ and ‘from’ address. These controls prevent spoofing and subsequently protect employees, customers, and suppliers from being tricked into sharing sensitive information or sending money to fraudsters. At the heart of modern email authentication is Domain-based Message Authentication, Reporting, and Conformance (DMARC) – a global standard developed by a consortium of leading technology vendors.
DMARC works by checking inbound emails against two separate authentication protocols: Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). If a message fails these checks, DMARC instructs the receiving server to either quarantine or reject the email, while also relaying information back to the domain owner so appropriate action can be taken. The goal is simple: ensure legitimate emails are delivered, while preventing malicious actors from impersonating your domain.
DMARC enforcement is often described in three policy stages:
- p=none is the monitoring stage, where failed messages are logged but not blocked.
- p=quarantine marks failing emails as suspicious, often sending them to spam or a dedicated quarantine folder.
- p=reject represents full enforcement, rejecting failing emails outright and providing the strongest protection against spoofing.
These policies can also be applied at a subdomain level, giving organisations control over both the main organisational domain and its various subdomains. Achieving full DMARC enforcement is widely recognised as a key step in email security maturity.
Manual DMARC provisioning can be challenging. Failure reports generated when an email fails DMARC (RUF reports) are delivered as raw email header data. They are rough in nature as well as name – highly technical and difficult to interpret without specialist expertise. As a result, many security teams lack the confidence to manage DMARC enforcement manually, particularly where there is no dedicated email security specialist.
Given the risk of inadvertently disrupting legitimate organisational email – an outcome no team wants to be the cause of – organisations often choose not to progress beyond a quarantine policy. Without the skills, tooling, or visibility required to safely validate all legitimate senders, teams are reluctant or unable to move to a reject policy. Consequently, many organisations, including some very large well-known enterprises, remain at p=quarantine for years and never reach full p=reject enforcement.
What’s Driving DMARC Adoption?
DMARC is widely recognised as an industry best practice, but it is not yet a universal legal requirement. Adoption has been driven largely by the mandates of major email providers. Google and Yahoo, for example, introduced strict deadlines for bulk email senders, which more than doubled adoption rates in the months that followed. In May 2025, Microsoft joined the effort, announcing high-volume email requirements that aligned with Google and Yahoo’s existing guidance. These measures have created a de facto standard for organisations that send large volumes of email, particularly those that rely on newsletters, marketing campaigns, or automated transactional messages.
In the UK, government policy takes a firmer line. DMARC is mandated for public sector organisations, and central government domains – for example, those ending in .gov.uk are expected to implement a strong enforcement level, typically p=reject. Beyond government mandates, regulatory and security frameworks are increasingly incorporating DMARC. PCI DSS v4.0, for instance, now explicitly references DMARC, meaning payment providers that fail to implement the standard risk audit failures, fines, or even losing the ability to process payments. Meanwhile, guidance from frameworks like NIST strongly recommends DMARC adoption, even when it is not a formal legal obligation.
Taken together, these signals show that DMARC is moving from a technical nicety to a practical necessity. Organisations that ignore it risk brand impersonation, operational disruption, and regulatory exposure, while those that adopt strong enforcement gain a clear defensive advantage against the most common forms of email fraud.
Changing Approaches to Email Security and the DMARC Gap
Despite the increase in adoption rates, there is another important reason why now is a poignant time to talk about DMARC. That reason is the inadvertent DMARC gap that many organisations are creating as they update their email security tools. Companies are rapidly moving to cloud-based email protection platforms – and for good reason. These tools offer advanced capabilities, including behavioural AI for detecting inbound threats, and represent a powerful addition to the security tool set.
However, this transition is exposing a new risk. Many organisations are replacing traditional SEGs, which historically included managed DMARC enforcement – often at a premium. SEGs acted as a full receiving server, capable of handling authentication, certificate exchange, and enforcement transparently. In contrast, modern API-based email tools are largely ‘invisible’ to messages: they inspect and filter emails in transit but do not inherently enforce DMARC. As a result, companies that once had built-in DMARC protections are now discovering they need to either layer a dedicated DMARC solution on top of their cloud tools or manage it manually.
As more vendors release API-first email protection, this challenge will only grow. Organisations that assumed DMARC enforcement came as standard may find themselves facing a gap in protection, potentially exposing domains to spoofing unless the gap is addressed proactively.
Fundamentally, DMARC has become a necessary, if sometimes frustrating, control. Bad actors can now leverage AI to rapidly identify and target organisations that lack SPF and DMARC enforcement. Left unchecked, this allows attackers to scale campaigns against companies that have not yet reached full p=reject enforcement.
The implications extend beyond direct attacks. With supply-chain threats on the rise, DMARC is increasingly considered a standard element of third-party risk assessment. Many suppliers and partners now check SPF and DMARC as part of due diligence, using it as a simple but effective indicator of how security-conscious an organisation is. In this way, DMARC is not just a technical control, but is becoming a practical measure of trustworthiness in the wider business ecosystem.
Get In Touch with BlueFort Security
As any battle-hardened cybersecurity professional will know, every problem has a solution, and every gap can be closed with the right controls. The answer to closing the DMARC gap is, as far as answers in cybersecurity go, fairly simple, and it doesn’t involve diving into the depths of RUF reports.
BlueFort has partnered with Sendmarc, which provides a comprehensive and automated DMARC, DKIM, and SPF control platform that integrates directly into a range of email security solutions. It gives you access to an easy-to-use UI and requires limited in-house resources to manage.
If the DMARC gap in your organisation is keeping you up at night (or you think it will be after reading this blog), then get in touch with us. Working in collaboration with Sendmarc, BlueFort’s experts can run a simple assessment of your organisation’s top email-sending domain, and provide a clear, actionable report to show you where you stand and how to improve your authentication policies.
