1.2% of .org Domains Have Phishing Protection | EasyDMARC

Only 1.2% of .org Domains Have Phishing Protection

3 Min Read
Only 1.2% of .org Domains Have Phishing Protection


  • Of nearly 10 million .org domains globally, only 1.2% have full phishing protection with DMARC
  • Globally, only 3.8% of .org domains report using DMARC in the first place
  • Among the top 100 US .org domains by traffic, only 20 have fully implemented DMARC

The Research

Only 1.2% of .org domains globally have implemented measures to prevent email phishing, spoofing, and ransomware attacks. This figure rises to only 20% among the top 100 US non-profits .org domains by traffic.

New research from email security provider EasyDMARC reviewed a dataset of 9,935,024 verified .org email domains. EasyDMARC found that only 376,497 (3.8%) domains had implemented the Domain-based Message Authentication, Reporting, and Conformance (DMARC) security standard. 

The DMARC standard enables the automatic flagging and removal of receiving emails that are impersonating senders’ domains, which is a crucial outbound phishing protection methodology. Despite the standard being over a decade old, this research indicates a widespread under-adoption of the standard among non-profits.

The Policy Distribution

While there is a greater degree of DMARC adoption among the 100 most popular US non-profits by traffic, one in four still has not deployed the standard. Further, only 20% of the top 100 US .org domains have deployed DMARC and implemented a ‘reject’ policy that automatically rejected emails impersonating a legitimate domain.

Download Our Report to Learn More!

The research also signals a failure by the global non-profit sector to adequately configure DMARC when implemented. Among the small minority of the global .org domains tested that employ DMARC, 171,486 (45.6%) had incorrectly configured it. As a result, these organizations lacked visibility into any impersonating emails they received or blocked.

Globally among non-profit domains using DMARC, only 121,290 (32.2%) had implemented a ‘reject’ policy that automatically rejected emails impersonating a legitimate domain. Most domains employing DMARC had configured it to do nothing about impersonating emails, with 218,777 (58.1%) domains having no policy. 55,281 (14.7%) had configured DMARC to send impersonating emails into quarantine.

Gerasim Hovhannisyan, EasyDMARC CEO and co-founder says: 

“Impersonating email domains is one of the main tools used in successful phishing, spoofing, and ransomware attacks. That’s why it’s so worrying to see our research indicate that only 1.2% of global non-profits have implemented domain authentication via DMARC, which remains the best way to curb this threat.

“With phishing and ransomware attacks rising dramatically, a widespread lack of domain authentication leaves the non-profit sector incredibly vulnerable to cyber-criminals. Without taking steps to rectify this, many charitable and philanthropic organizations are at risk of significant disruption and financial losses.”

Digital Marketing Specialist | EasyDMARC
Anush is a firm believer in the potential of PR to spread cybersecurity awareness worldwide, and she is on a fantastic journey to make that happen!


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us