The State of DMARC Adoption in Australia
We scanned 1,929 of Australia's most important domains. Here's what we found.
Australia is half-protecting its email domains
Our research reveals a critical disconnect: while 76% of Australia's top 1,929 domains have a DMARC record, only 21.2% have the complete authentication stack needed for real protection — DMARC at p=reject, SPF, and DKIM all working together.
Having DMARC without DKIM is like locking the front door but leaving the back open. DMARC policies rely on SPF or DKIM alignment to pass — but without DKIM, forwarded emails will fail authentication entirely. Yet 31.2% of the domains we scanned have DMARC configured but no detectable DKIM record.
The gap varies dramatically by sector. Not-for-Profit leads with an average score of 68/100, while Education - Schools trails at just 40/100. Even among top performers, DKIM adoption remains the weakest link — suggesting that many organisations set up DMARC and SPF but never completed the last step.
Why This Matters Now
Australia's email security gap isn't just a technical problem — it's a regulatory and business risk that's growing.
In 2024, Google and Yahoo began enforcing DMARC requirements for bulk email senders, rejecting messages from domains without proper authentication. Microsoft followed with similar enforcement for Outlook.com in 2025. For Australian businesses sending marketing emails, invoices, or transactional messages, failing to implement DMARC now means emails going to spam — or not being delivered at all.
Meanwhile, the Australian Signals Directorate (ASD) recommends DMARC at p=reject
as part of its email hardening guidance, and the ACSC's strategies to mitigate cyber security
incidents specifically call for hard-fail SPF and DMARC records. The Notifiable Data Breaches
(NDB) scheme means that domain spoofing incidents can trigger mandatory breach notifications
under the Privacy Act.
Globally, DMARC adoption among top domains reached approximately 47.7% in 2025. Australia
sits above this at 76% — but that headline number masks the real problem. Only 38.3%
enforce at p=reject, and just 21.2% have the complete authentication stack.
Australia has started the journey but hasn't finished it.
Cyber Bodies Recommend DMARC in Australia
Australian Cyber Security Centre
“Enable SPF, DKIM, and DMARC to protect against spoofing.”
Victorian State Government
The government is currently rolling out DMARC across all agencies.
Australian Signals Directorate
“Use a ‘reject’ policy for complete protection.”
Notifiable Data Breaches Scheme
“Spoofing can trigger breach notifications under the Privacy Act.”
How does your industry compare?
22 sectors ranked by average email security score
| # | Sector | Domains | Has DMARC | p=reject | Has SPF | Has DKIM | Avg Score |
|---|---|---|---|---|---|---|---|
| 1 | Not-for-Profit | 41 | 90% | 29% | 93% | 68% | 68 |
| 2 | Education | 78 | 95% | 40% | 95% | 56% | 66 |
| 3 | State Government | 117 | 90% | 62% | 90% | 50% | 66 |
| 4 | Technology | 72 | 88% | 47% | 96% | 56% | 65 |
| 5 | Professional Services | 40 | 95% | 68% | 93% | 35% | 64 |
| 6 | Federal Government | 101 | 90% | 58% | 90% | 39% | 63 |
| 7 | Banking & Finance | 79 | 85% | 57% | 85% | 51% | 61 |
| 8 | Retail & Consumer | 75 | 85% | 48% | 84% | 49% | 61 |
| 9 | Energy & Utilities | 53 | 81% | 42% | 89% | 51% | 60 |
| 10 | Local Government | 312 | 80% | 45% | 80% | 54% | 60 |
| 11 | Media & Entertainment | 39 | 79% | 36% | 87% | 56% | 60 |
| 12 | Religious & Community | 10 | 80% | 20% | 100% | 50% | 60 |
| 13 | Construction | 40 | 75% | 45% | 85% | 48% | 59 |
| 14 | Transport & Logistics | 48 | 81% | 52% | 81% | 38% | 58 |
| 15 | Peak Body & Association | 62 | 63% | 11% | 79% | 52% | 50 |
| 16 | Travel & Hospitality | 40 | 73% | 35% | 78% | 40% | 50 |
| 17 | ASX Listed | 58 | 66% | 24% | 76% | 34% | 50 |
| 18 | SME Business | 334 | 65% | 23% | 75% | 37% | 48 |
| 19 | Mining & Resources | 58 | 69% | 34% | 74% | 29% | 48 |
| 20 | Real Estate | 49 | 71% | 24% | 71% | 37% | 47 |
| 21 | Healthcare | 109 | 63% | 34% | 61% | 28% | 42 |
| 22 | Education - Schools | 114 | 53% | 17% | 56% | 40% | 40 |
Key Findings
24% completely unprotected
Nearly a quarter of Australia's key domains have no DMARC record at all — leaving them fully exposed to impersonation and phishing attacks.
Only 21.2% fully protected
Just 409 of 1,929 domains have the complete stack: DMARC at p=reject with both SPF and DKIM. The rest have gaps that attackers can exploit.
DKIM is the weakest link
Only 44.8% of domains have DKIM configured — far behind SPF (79.9%) and DMARC (76%). Without DKIM, forwarded email fails authentication entirely.
24.6% stalled at p=none
361 domains have DMARC set to "monitor only" — it tells you about failures but doesn't prevent impersonation. These domains started the journey but never completed it.
631 domains use weak DKIM keys
63% of DKIM keys found are 1024-bit or shorter. Industry best practice has moved to 2048-bit keys, as 1024-bit keys are increasingly vulnerable to brute-force attacks.
MTA-STS adoption: 0%
Not a single domain in our scan had MTA-STS configured. This protocol prevents TLS downgrade attacks on email transport — yet it remains virtually unknown in Australia.
What Full Protection Looks Like
Only 21.2% of Australian domains have all four elements in place. Here's what a fully protected domain requires:
DMARC at p=reject
Instructs receiving servers to reject unauthenticated emails claiming to be from your domain.
SPF with -all
Lists authorised sending servers and hard-fails everything else. 79.9% of domains have SPF, but many use the weaker ~all.
DKIM with 2048-bit keys
Cryptographically signs outgoing email so forwarded messages still authenticate. The weakest link at just 44.8% adoption.
DMARC Reporting (RUA)
Aggregate reports give visibility into who is sending email as your domain — essential for informed policy decisions.
How we conducted this research
In March 2026, we used DMARC Busta's domain scanner to analyse 1,929 Australian domains across 22 sectors. Each domain was scanned for DMARC, SPF, DKIM, MTA-STS, and TLS-RPT records using publicly available DNS data. No intrusion or authentication testing was performed.
Domains were selected to represent a cross-section of Australian organisations: federal, state, and local government; ASX-listed companies; banking and finance; healthcare; education (universities and schools); mining; technology; professional services; and SME businesses.
Sector composition
Get the full report
Executive Summary PDF
Key findings, sector analysis, and recommendations in a printable format.
Anonymised Dataset (CSV)
The complete dataset with per-domain scores, DMARC policies, SPF status, DKIM details, and sector classification.
Download Anonymised Dataset (1,929 domains)Domain names replaced with anonymous IDs to protect individual organisations. All scan results, scores, and sector classifications are preserved for independent verification.
Want to check your own domain?
Use our free scannerIs your domain fully protected?
DMARC Busta's Autopilot detects protocol gaps and fixes them automatically — from DMARC progression to DKIM monitoring and SPF management.
Get Started Free