ASX 200 Email Security Report
We graded 255 domains belonging to ASX 200-listed companies on email security. Here's how Australia's largest listed companies protect their domains.
Ahead of the pack — but a quarter of the way there
Australia's largest listed companies are meaningfully ahead of the
national baseline. 82% of ASX 200 domains have a DMARC
record — against 72.5% nationally
— and 44.3% enforce at p=reject, the policy
that actually rejects spoofed mail.
But the headline number masks the real story. Only
29.4% of ASX 200 domains have the
complete authentication stack — DMARC at p=reject, SPF, and
DKIM all working together. That is still ahead of the
14.7% national figure, but it means
roughly three in four of Australia's biggest listed companies still have
an exploitable gap in how their domain is protected.
Have DMARC
Fully protected
National baseline figures are from our State of DMARC Adoption in Australia 2026 report.
Not a single ASX 200 company has MTA-STS configured
Of the 255 ASX 200 domains we scanned, not one has MTA-STS configured. The same is true for TLS-RPT: zero domains report on it. These are the two protocols that secure email in transit — and across Australia's largest listed companies, adoption is flatly nonexistent.
MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending servers to refuse to deliver mail to your domain over an unencrypted or downgraded connection. Without it, a network attacker can strip TLS from an email in transit and read or alter it — a downgrade attack that DMARC, SPF, and DKIM do nothing to stop. TLS-RPT is the reporting channel that tells you when those delivery failures happen.
DMARC stops someone impersonating your domain. MTA-STS stops someone intercepting mail sent to it. The ASX 200 has made real progress on the first and has done nothing at all on the second.
Fewer than half have DKIM
Only 56.1% of ASX 200 domains have DKIM configured — far behind SPF (87.5%) and DMARC (82%). That is the single most actionable gap in this dataset.
It matters because DMARC at p=reject is only as good as the
authentication underneath it. DMARC passes when SPF or DKIM
aligns. SPF breaks the moment an email is forwarded — the forwarding
server isn't in your SPF record. DKIM survives forwarding, because the
signature travels with the message. A domain at p=reject
without DKIM is rejecting its own legitimate forwarded mail, and its
owners are often one mailing-list post away from finding out the hard way.
25.9% of ASX 200 domains have DMARC but no detectable DKIM record. They have done the visible part of email authentication and skipped the part that makes it hold up in the real world.
How does each sector compare?
ASX 200 domains broken down by sector, ranked by average email security score
| # | Sector | Domains | Has DMARC | p=reject | Has SPF | Has DKIM | Avg Score |
|---|---|---|---|---|---|---|---|
| 1 | Banking & Finance | 34 | 97% | 62% | 97% | 62% | 70 |
| 2 | Technology | 39 | 92% | 54% | 100% | 67% | 67 |
| 3 | Transport & Logistics | 7 | 100% | 71% | 100% | 29% | 66 |
| 4 | Retail & Consumer | 23 | 91% | 43% | 96% | 65% | 65 |
| 5 | Construction | 16 | 88% | 56% | 88% | 63% | 64 |
| 6 | Real Estate | 16 | 81% | 38% | 81% | 63% | 58 |
| 7 | SME Business | 29 | 69% | 34% | 83% | 45% | 53 |
| 8 | Healthcare | 21 | 71% | 29% | 76% | 52% | 53 |
| 9 | Mining & Resources | 53 | 70% | 36% | 75% | 43% | 49 |
| 10 | Media & Entertainment | 8 | 63% | 25% | 75% | 38% | 42 |
Sectors with fewer than 5 ASX 200 domains are omitted from the ranking as the sample is too small to be representative: Professional Services (n=1), Education (n=1), Travel & Hospitality (n=4), Energy & Utilities (n=3). They are still included in the headline figures and the dataset.
Methodology
This report analyses 255 domains belonging to ASX 200-listed companies. Each domain was scanned with DMARC Busta's domain scanner using publicly available DNS data — DMARC, SPF, DKIM, MTA-STS, and TLS-RPT records. No intrusion or authentication testing was performed. All 255 domains completed scanning successfully.
On the 255 figure. The S&P/ASX 200 index is, by name, 200 companies. This dataset contains 255 distinct domains tagged as ASX 200 — each a unique domain, with no duplicates. The ASX 200 is rebalanced quarterly, so a scan window that spans a rebalance picks up constituents that entered or left the index during that period. We have not attempted to pin the dataset to a single point-in-time index snapshot; the accurate description is that these are 255 domains of companies in, or recently in, the S&P/ASX 200. Every figure in this report is computed over those 255 domains.
The sector breakdown uses the same GICS-style Sector classification as our national report, restricted to ASX 200 rows. Some sectors carry a small sample within the ASX 200 — sectors with fewer than 5 domains are shown as a footnote rather than ranked, but remain in the headline figures and the published dataset.
This report is a filtered cut of the dataset behind our State of DMARC Adoption in Australia 2026 report — the same scans, narrowed to ASX 200 constituents. The anonymised dataset for independent verification is available below.
Anonymised Dataset (CSV)
The complete ASX 200 dataset with per-domain scores, DMARC policies, SPF status, DKIM details, and sector classification. Domain names are replaced with anonymous IDs; all scan results are preserved for independent verification.
Download Anonymised Dataset (255 domains)Is your domain on this list? Check it free.
DMARC Busta's Autopilot detects protocol gaps and fixes them automatically — from DMARC progression to DKIM monitoring, SPF management, and MTA-STS.