Executive Summary: Over the past year, 2.3 million organizations have adopted DMARC, enhancing email security globally. This progress reflects a positive trend toward securing email ecosystems, with certain countries leading the charge.
This article:
- Reports a significant increase in organizations adopting DMARC over the past year.
- Analyzes global readiness and progress in email security standards.
- Highlights countries leading in securing their email ecosystems.
Introduction
It has been one year since Google and Yahoo implemented stricter requirements for bulk email senders. Eleven months ago, Red Sift shared an update based on data from BIMI Radar, which revealed a concerning global readiness picture.
Now, with a full year behind us, it’s time to evaluate the progress organizations have made in addressing these requirements. In February 2024, 91.38% of global domains lacked a Domain-based Message Authentication, Reporting, and Conformance (DMARC) record, leaving them vulnerable to compliance failures and cyber threats.
To mark this milestone, we’re taking a closer look at the latest data on DMARC adoption worldwide as well as Brand Brand Indicators for Message Identification (BIMI) readiness, examining how far we’ve come and which countries are leading the way in securing their email ecosystems.
DMARC adoption increases by 2.3 million
Since 1 February 2024, we have seen a significant increase in the number of organizations adopting DMARC, up 2.32 million as of 18 December 2024, based on the tracking of 72.85 million apex domains. In fact, the rate of adoption has more than doubled compared to the same period in 2023—a clear sign that organizations are moving in the right direction.
Public companies continue to make significant strides
One month after Google and Yahoo’s bulk sender requirements, we reported that countries were making significant progress in their readiness for the new requirements, with Germany, Japan, and Spain increasing readiness level by as much as 35%. One year on, what does the global snapshot from domains analysed across a sample of 14 countries:
Country | % that will fail January 24 | % that will fail December 24 | Change | Domain sample size |
Italy | 29.81% | 17.31% | 12.5% | 104 |
Germany | 20.75% | 13.21% | 7.54% | 53 |
Canada | 12.37% | 7.22% | 5.15% | 97 |
Japan | 50% | 30.56% | 19.44% | 72 |
Spain | 39.18% | 22.68% | 16.5% | 97 |
Netherlands | 16.83% | 10.89% | 5.94% | 101 |
United States | 6.52% | 4.35% | 2.17% | 92 |
France | 10.47% | 9.3% | 1.17% | 86 |
Australia | 10.78% | 5.88% | 4.9% | 102 |
United Kingdom | 14.58% | 11.46% | 3.12% | 96 |
Austria | 45.71% | 17.4% | 28.31% | 35 |
Indonesia | 47.92% | 34.38% | 13.54% | 96 |
Chile | 28.89% | 20% | 8.89% | 90 |
India | 17.44% | 18.6%* | 1.16% | 86 |
*One of the domain’s enforcement policy has regressed, while another domain has changed their corporate domain name.
The picture is overwhelmingly positive, with all but one country increasing the adoption rate of DMARC implementation, with now less than a third of all domains sampled only achieving basic or no authentication. The largest success stories throughout 2024 appear to be Austria, closing the gap by 28.31%, Japan by 19.44% and Spain by 16.5%. In addition, the rate of compliance appears to have remained steady over the same period, suggesting the requirements are shifting attitudes into adopting DMARC.
What about BIMI readiness by country?
Introduced in 2021, BIMI is an email standard enabling businesses to display their brand logo in the avatar slot of emails authenticated through DMARC. In March 2024, we analyzed BIMI readiness among the largest publicly traded companies globally, assessing domains with a DMARC policy of at least p=reject, configured SPF and DKIM, and alignment of either SPF or DKIM.
One year later, how does this landscape compare? Have Google and Yahoo’s requirements driven greater adoption of stricter email security policies, such as moving beyond DMARC reporting (p=none) to implementing a secure, BIMI-ready policy (p=reject)? Including those domains who are actively deploying BIMI or those that have fully implemented BIMI with a Verified Mark Certificate (VMC).
Explore the updated data below to see how BIMI readiness has evolved over the past year:
Country | % with BIMI-compliant DMARC policy January 2024 | % with BIMI-compliant DMARC policy December 2024 | Change | Domain sample size |
Germany | 35.8% | 50.95% | 15.15% | 53 |
Spain | 30.9% | 46.4% | 15.5% | 97 |
United Kingdom | 59.4% | 67.7% | 8.3% | 96 |
United States | 75% | 79.35% | 4.35% | 92 |
Indonesia | 37.5% | 47.9% | 10.4% | 96 |
France | 57% | 65.1% | 8.1% | 86 |
India | 70.9% | 72.1% | 1.2% | 86 |
Netherlands | 66.3% | 72.3% | 6% | 101 |
Canada | 50.5% | 61.9% | 11.4% | 97 |
Chile | 38.9% | 51.1% | 12.2% | 90 |
Austria | 34.3% | 51.4% | 17.1% | 35 |
Italy | 32.7% | 35.6% | 2.9% | 104 |
Japan | 15.3% | 20.8% | 5.5% | 72 |
From the table above, there is a clear shift in top publicly traded companies opting to move beyond basic DMARC reporting and instead progressing to achieve a DMARC policy of p=reject, meaning BIMI can now be deployed. The biggest movers once again include Austria with an impressive 17.1% uptake in 2024, followed by Spain with 15.5% and Germany at 15.15%. These businesses now face an easier path forward, with the requirements expected to get even more stringent.
The horizon remains positive, but more work is needed
Research from Red Sift’s BIMI Radar reveals notable progress since Google and Yahoo implemented stricter controls for bulk sender emails. Encouragingly, publicly traded companies (excluding the outlining data from Insita) have significantly reduced the risk of compliance failure. However, this insight is drawn from a smaller sample size, and the global picture shows that 86.62% of domains still lack adequate protection against today’s growing cyber threats—an improvement of just 4.46% since January 2024. While progress is evident, much work remains to be done.
At Red Sift, we are committed to making the internet safer by helping businesses implement robust security measures, including a secure DMARC policy set to p=reject. Unsure if your business is ready? With Red Sift Investigate, a single test email can verify your compliance with Google and Yahoo’s updated requirements for bulk senders, covering critical standards like DMARC, DKIM, SPF, and FcrDNS.
