2.3 million organizations embrace DMARC compliance

Executive Summary: Over the past year, 2.3 million organizations have adopted DMARC, enhancing email security globally. This progress reflects a positive trend toward securing email ecosystems, with certain countries leading the charge.​

This article:

  • Reports a significant increase in organizations adopting DMARC over the past year.​
  • Analyzes global readiness and progress in email security standards.​
  • Highlights countries leading in securing their email ecosystems.

Introduction

It has been one year since Google and Yahoo implemented stricter requirements for bulk email senders. Eleven months ago, Red Sift shared an update based on data from BIMI Radar, which revealed a concerning global readiness picture.

Now, with a full year behind us, it’s time to evaluate the progress organizations have made in addressing these requirements. In February 2024, 91.38% of global domains lacked a Domain-based Message Authentication, Reporting, and Conformance (DMARC) record, leaving them vulnerable to compliance failures and cyber threats.

To mark this milestone, we’re taking a closer look at the latest data on DMARC adoption worldwide as well as Brand Brand Indicators for Message Identification (BIMI) readiness, examining how far we’ve come and which countries are leading the way in securing their email ecosystems.

DMARC adoption increases by 2.3 million

Since 1 February 2024, we have seen a significant increase in the number of organizations adopting DMARC, up 2.32 million as of 18 December 2024, based on the tracking of 72.85 million apex domains. In fact, the rate of adoption has more than doubled compared to the same period in 2023—a clear sign that organizations are moving in the right direction. 

Public companies continue to make significant strides

One month after Google and Yahoo’s bulk sender requirements, we reported that countries were making significant progress in their readiness for the new requirements, with Germany, Japan, and Spain increasing readiness level by as much as 35%. One year on, what does the global snapshot from domains analysed across a sample of 14 countries:

Country 
% that will fail January 24
% that will fail December 24
Change
Domain sample size
Italy
29.81%
17.31%
12.5%
104
Germany
20.75%
13.21%
7.54%
53
Canada
12.37%
7.22%
5.15%
97
Japan
50%
30.56%
19.44%
72
Spain
39.18%
22.68%
16.5%
97
Netherlands
16.83%
10.89%
5.94%
101
United States
6.52%
4.35%
2.17%
92
France
10.47%
9.3%
1.17%
86
Australia
10.78%
5.88%
4.9%
102
United Kingdom
14.58%
11.46%
3.12%
96
Austria
45.71%
17.4%
28.31%
35
Indonesia
47.92%
34.38%
13.54%
96
Chile
28.89%
20%
8.89%
90
India
17.44%
18.6%*
1.16%
86

*One of the domain’s enforcement policy has regressed, while another domain has changed their corporate domain name.

The picture is overwhelmingly positive, with all but one country increasing the adoption rate of DMARC implementation, with now less than a third of all domains sampled only achieving basic or no authentication. The largest success stories throughout 2024 appear to be Austria, closing the gap by 28.31%, Japan by 19.44% and Spain by 16.5%. In addition, the rate of compliance appears to have remained steady over the same period, suggesting the requirements are shifting attitudes into adopting DMARC.

What about BIMI readiness by country?

Introduced in 2021, BIMI is an email standard enabling businesses to display their brand logo in the avatar slot of emails authenticated through DMARC. In March 2024, we analyzed BIMI readiness among the largest publicly traded companies globally, assessing domains with a DMARC policy of at least p=reject, configured SPF and DKIM, and alignment of either SPF or DKIM.

One year later, how does this landscape compare? Have Google and Yahoo’s requirements driven greater adoption of stricter email security policies, such as moving beyond DMARC reporting (p=none) to implementing a secure, BIMI-ready policy (p=reject)? Including those domains who are actively deploying BIMI or those that have fully implemented BIMI with a Verified Mark Certificate (VMC).

Explore the updated data below to see how BIMI readiness has evolved over the past year:

Country 
% with BIMI-compliant DMARC policy January 2024
% with BIMI-compliant DMARC policy December 2024
Change
Domain sample size
Germany
35.8%
50.95%
15.15%
53
Spain
30.9%
46.4%
15.5%
97
United Kingdom
59.4%
67.7%
8.3%
96
United States
75%
79.35%
4.35%
92
Indonesia
37.5%
47.9%
10.4%
96
France
57%
65.1%
8.1%
86
India
70.9%
72.1%
1.2%
86
Netherlands
66.3%
72.3%
6%
101
Canada
50.5%
61.9%
11.4%
97
Chile
38.9%
51.1%
12.2%
90
Austria
34.3%
51.4%
17.1%
35
Italy
32.7%
35.6%
2.9%
104
Japan
15.3%
20.8%
5.5%
72

From the table above, there is a clear shift in top publicly traded companies opting to move beyond basic DMARC reporting and instead progressing to achieve a DMARC policy of p=reject, meaning BIMI can now be deployed. The biggest movers once again include Austria with an impressive 17.1% uptake in 2024, followed by Spain with 15.5% and Germany at 15.15%.  These businesses now face an easier path forward, with the requirements expected to get even more stringent.

The horizon remains positive, but more work is needed

Research from Red Sift’s BIMI Radar reveals notable progress since Google and Yahoo implemented stricter controls for bulk sender emails. Encouragingly, publicly traded companies (excluding the outlining data from Insita) have significantly reduced the risk of compliance failure. However, this insight is drawn from a smaller sample size, and the global picture shows that 86.62% of domains still lack adequate protection against today’s growing cyber threats—an improvement of just 4.46% since January 2024. While progress is evident, much work remains to be done.

At Red Sift, we are committed to making the internet safer by helping businesses implement robust security measures, including a secure DMARC policy set to p=reject. Unsure if your business is ready? With Red Sift Investigate, a single test email can verify your compliance with Google and Yahoo’s updated requirements for bulk senders, covering critical standards like DMARC, DKIM, SPF, and FcrDNS.

PUBLISHED BY

Jack Lilley

5 Feb. 2025

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
BEC

The threat of Business Email Compromise in US healthcare

Jack Lilley

Executive summary: Business Email Compromise is siphoning billions from U.S. healthcare by exploiting human trust instead of software flaws. Spoofed or hijacked messages authorize fraudulent payments, spark ransomware, and expose patient data—causing crippling financial, operational, and compliance damage. Deploying DMARC, MFA, and rigorous multi-person payment checks is now critical. 3 key takeaways Business Email…

Read more
Email

Cloudflare selects Red Sift as a preferred partner to provide DMARC and…

Rebecca Warren

AI-generated email attacks are rapidly growing in scale and sophistication, demanding stronger defenses from at-risk organizations. Starting today, Red Sift is excited to announce a new strategic partnership with Cloudflare, the leading connectivity cloud company, to deliver its market-leading email security application, Red Sift OnDMARC, to a broader global audience.  Today’s alignment enhances Cloudflare’s…

Read more
Cybersecurity

New Zealand moves to mandate DMARC enforcement

Jack Lilley

Executive summary: New Zealand’s Secure Government Email Framework mandates DMARC at p=reject—plus hard-fail SPF, universal DKIM, enforced MTA-STS, and TLS-RPT—by October 2025. The rules replace SEEMail, curb soaring phishing losses, and will affect every organization that emails the public sector. Key takeaways: The New Zealand Government has recently published the Secure Government Email (SGE) Common…

Read more
BEC

DMARC: The best ROI for your organization

Jack Lilley

Executive summary: Implementing DMARC delivers one of the clearest, fastest returns on investment in email security. By authenticating outgoing mail and blocking spoofed messages, DMARC cuts the direct costs of phishing and Business Email Compromise, safeguards brand reputation, and boosts deliverability—ultimately driving revenue and trimming operational workload. Key takeaways: Email is a critical communication tool for…

Read more