DMARC Enforcement Boosts Email Security | EasyDMARC

National DMARC Enforcement: How Government Action Influences Email Security

4 Min Read

As phishing attacks become increasingly sophisticated, governments worldwide are recognizing the critical role of DMARC enforcement as a frontline defense against these threats. The EasyDMARC 2025 DMARC Adoption Report presents compelling evidence that national policy decisions have a significant impact on email security outcomes.

Our deep dive into DMARC enforcement at the national level forms part of EasyDMARC’s extensive 2025 study on global DMARC adoption and enforcement. For this section of our research, we used proprietary DMARC data collected through EasyDMARC’s platform. To understand how national-level mandates influence phishing exposure, we analyzed over 278 million emails from 2023 and more than 115 million emails from January to April 2025, covering seven countries with varying levels of DMARC policy enforcement.1

The Power of Mandates: Success Stories from Leading Countries

The United States, the Czech Republic, and the United Kingdom stand out for their strong DMARC mandates. The results? A significant decline in phishing emails bypassing authentication.

In the US, domains using a weak p=none policy dropped from over two-thirds in 2023 to just 14.2% in 2025. Similar improvements were observed in the Czech Republic, where p=none decreased from 89.8% to 22.2%, and in the UK, where it dropped from 85.1% to 10.1%, resulting in a doubling of reject rates. These results underscore the impact of legal mandates, when combined with effective compliance mechanisms, on achieving significant security improvements. The drop in p=none usage means fewer opportunities for attackers to successfully impersonate trusted domains, reducing phishing risk. For organizations enforcing strict DMARC policies, the result is stronger brand protection, better deliverability, and increased trust from recipients.

Partial Mandates, Mixed Results

Countries like Germany, Canada, and Norway present a different scenario. Despite having some regulatory frameworks in place, the outcomes are inconsistent.

In Germany, there was a concerning drop in strict p=reject policies from 42.6% to 7.9%, accompanied by an increase in softer p=quarantine usage. Canada, however, made steady progress and maintained a respectable 70.2% at the p=reject level. Norway retained a high enforcement rate, although some traffic shifted to quarantine.

These mixed outcomes illustrate that recommendations and phased rollouts alone are not always sufficient. Without robust accountability, adoption can plateau or even regress.

Minimal Enforcement, Maximum Risk

The Netherlands and Qatar highlight the risks of weak or non-existent DMARC mandates. In both countries, phishing emails continue to flood inboxes unchecked. The Netherlands even experienced a decline in DMARC effectiveness, with p=none policies rising from 76.5% to 97.1% despite government recommendations.

For companies with weak or no DMARC policies, this translates to a heightened risk of their domains being exploited for phishing and spoofing attacks. Without proper enforcement, they not only expose their customers to fraud but also damage their own reputation and email deliverability.

The Data Is Clear: Mandates Matter

Our report reveals a consistent trend: countries with mandated enforcement-level DMARC policies, specifically p=quarantine or p=reject, experienced substantial reductions in phishing exposure. Where guidance is weak or non-binding, attackers exploited these vulnerabilities.

Recommendations for Policymakers

  1. Mandate Enforcement-Level DMARC: Establish legal requirements for p=reject as the most effective path to improving email security.
  2. Phased Rollouts with Deadlines: Implement structured transitions from p=none to enforcement (p=reject) to mitigate deliverability concerns while ensuring progress.
  3. Elevate Recommendations to Regulations: Recognize that non-binding guidance leads to inconsistent adoption and ongoing risk.
  4. Lead by Example: Mandate DMARC for government domains to set a precedent and encourage alignment in the private sector.
  5. Promote Public-Private Collaboration: Technical resources, awareness campaigns, and partnerships are essential to support adoption, particularly in critical industries.

Conclusion: National Leadership is Non-Negotiable

Phishing remains a global threat, but as the EasyDMARC 2025 DMARC Adoption Report demonstrates, national policy is a powerful tool for mitigating this threat. Countries that adopt firm mandates and lead by example create safer digital environments, not just for governments, but for all organizations and citizens.

  1. This data is derived from anonymized aggregate DMARC reports processed through EasyDMARC’s platform. The analysis is limited to metadata, such as sender domains, policy results, and reporting IPs, and does not include any email content or personally identifiable information. 
    ↩︎
Marketing Specialist
Sona is a marketing specialist in the corporate marketing division, passionate about communication and storytelling. She enjoys crafting clear, impactful messages that connect brands with their audiences.
Comments
guest
0 Comments
Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us