The State of DMARC Adoption in Australia
We scanned 10,586 of Australia's most important domains. Here's what we found.
Dataset expanded from 3,930 to 10,326 domains
We’ve broadened the research base to give a clearer picture of email authentication across Australian organisations of all sizes. The new dataset adds 5,167 ACNC Large charities, 1,000 ACNC Medium charities, 221 local councils spanning every state and territory, and gap-filling universities and TAFEs.
| Metric | March 2026 (3,930 domains) |
May 2026 (10,326 domains) |
Change |
|---|---|---|---|
| Have DMARC | 68.8% | 72.5% | +3.7pp |
| At p=reject (strict) | 26.6% | 19.0% | −7.6pp |
| Have SPF | 81.1% | 87.7% | +6.6pp |
| Have DKIM | 39.2% | 68.0% | +28.8pp |
Reading these deltas: the new cohort is dominated by charities and councils, most of which sit on hosted email platforms like Google Workspace or Microsoft 365. Those platforms provision SPF and DKIM by default, which lifts the headline SPF and DKIM rates sharply. The drop in p=reject adoption tells the harder story — smaller organisations are further behind on enforcement, with a stricter DMARC policy still the minority position even where the underlying records exist.
What the expanded data reveals
With 533 local councils, 4,073 charities, and 367 schools now in the dataset, three findings stand out — not in the headline averages, but in how sectors compare to each other.
Local councils outperform most of the private sector
p=rejectThat’s ahead of Banking & Finance (40%), Technology (26%), Retail & Consumer (26%), and Mining & Resources (12%). Councils get pushed by ACSC’s Essential Eight guidance and procurement compliance — and most of them follow through.
Religious & community charities are the most exposed cohort
p=reject91% remain in monitor mode or have no DMARC record at all. These are typically small organisations without dedicated IT — trusted, donation-dependent, and exactly the brands attackers prefer to impersonate.
Schools are a target sector with weak enforcement
p=rejectOnly 54% have any DMARC record at all — the lowest of any cohort over 100 domains. Schools see heavy phishing traffic (fake invoice scams, fee fraud, payroll impersonation) and most are still wide open to it.
The pattern across the new cohorts
Compliance pressure works. Sectors with formal guidance — State Government (61% at p=reject), Federal Government (58%), Local Government (43%) — lead the field, regardless of organisation size. Sectors without it — charities, schools, religious organisations — trail badly even when the underlying SPF and DKIM records exist. The Australian email-authentication gap isn’t technical capability; it’s the policy-level decision to switch enforcement on.
Australia is half-protecting its email domains
Our research reveals a critical disconnect: while 71.4% of Australia's top 10,586 domains have a DMARC record, only 14.2% have the complete authentication stack needed for real protection — DMARC at p=reject, SPF, and DKIM all working together.
Having DMARC without DKIM is like locking the front door but leaving the back open. DMARC policies rely on SPF or DKIM alignment to pass — but without DKIM, forwarded emails will fail authentication entirely. Yet 3.5% of the domains we scanned have DMARC configured but no detectable DKIM record.
The gap varies dramatically by sector. State Government leads with an average score of 64/100, while Federal Government trails at just 41/100. Even among top performers, DKIM adoption remains the weakest link — suggesting that many organisations set up DMARC and SPF but never completed the last step.
Why This Matters Now
Australia's email security gap isn't just a technical problem — it's a regulatory and business risk that's growing.
In 2024, Google and Yahoo began enforcing DMARC requirements for bulk email senders, rejecting messages from domains without proper authentication. Microsoft followed with similar enforcement for Outlook.com in 2025. For Australian businesses sending marketing emails, invoices, or transactional messages, failing to implement DMARC now means emails going to spam — or not being delivered at all.
Meanwhile, the Australian Signals Directorate (ASD) recommends DMARC at p=reject
as part of its email hardening guidance, and the ACSC's strategies to mitigate cyber security
incidents specifically call for hard-fail SPF and DMARC records. The Notifiable Data Breaches
(NDB) scheme means that domain spoofing incidents can trigger mandatory breach notifications
under the Privacy Act.
Globally, DMARC adoption among top domains reached approximately 47.7% in 2025. Australia
sits above this at 71.4% — but that headline number masks the real problem. Only 18%
enforce at p=reject, and just 14.2% have the complete authentication stack.
Australia has started the journey but hasn't finished it.
Cyber Bodies Recommend DMARC in Australia
Australian Cyber Security Centre
“Enable SPF, DKIM, and DMARC to protect against spoofing.”
Victorian State Government
The government is currently rolling out DMARC across all agencies.
Australian Signals Directorate
“Use a ‘reject’ policy for complete protection.”
Notifiable Data Breaches Scheme
“Spoofing can trigger breach notifications under the Privacy Act.”
How does your industry compare?
23 sectors ranked by average email security score
| # | Sector | Domains | Has DMARC | p=reject | Has SPF | Has DKIM | Avg Score |
|---|---|---|---|---|---|---|---|
| 1 | State Government | 58 | 86% | 59% | 86% | 57% | 64 |
| 2 | Not-for-Profit | 3073 | 76% | 14% | 94% | 81% | 63 |
| 3 | Media & Entertainment | 317 | 78% | 18% | 91% | 75% | 62 |
| 4 | Education | 1475 | 77% | 16% | 92% | 78% | 61 |
| 5 | Healthcare | 1158 | 75% | 17% | 89% | 72% | 60 |
| 6 | Local Government | 505 | 76% | 41% | 78% | 65% | 60 |
| 7 | Professional Services | 85 | 82% | 39% | 89% | 47% | 58 |
| 8 | Technology | 218 | 76% | 26% | 89% | 60% | 58 |
| 9 | Banking & Finance | 197 | 80% | 40% | 86% | 52% | 58 |
| 10 | Religious & Community | 380 | 68% | 9% | 86% | 77% | 58 |
| 11 | Transport & Logistics | 72 | 81% | 43% | 82% | 44% | 57 |
| 12 | Construction | 113 | 75% | 27% | 84% | 55% | 57 |
| 13 | Retail & Consumer | 232 | 71% | 26% | 84% | 53% | 55 |
| 14 | Energy & Utilities | 198 | 65% | 18% | 81% | 46% | 50 |
| 15 | Peak Body & Association | 62 | 63% | 11% | 79% | 60% | 50 |
| 16 | Travel & Hospitality | 40 | 73% | 35% | 78% | 43% | 50 |
| 17 | ASX Listed | 58 | 66% | 24% | 76% | 47% | 50 |
| 18 | Mining & Resources | 831 | 60% | 12% | 85% | 47% | 49 |
| 19 | SME Business | 334 | 65% | 23% | 75% | 46% | 48 |
| 20 | Conveyancing | 260 | 43% | 10% | 86% | 53% | 48 |
| 21 | Education - Schools | 367 | 54% | 12% | 74% | 58% | 47 |
| 22 | Real Estate | 112 | 57% | 19% | 67% | 36% | 41 |
| 23 | Federal Government | 11 | 64% | 36% | 55% | 27% | 41 |
Key Findings
28.6% completely unprotected
Nearly a quarter of Australia's key domains have no DMARC record at all — leaving them fully exposed to impersonation and phishing attacks.
Only 14.2% fully protected
Just 1481 of 10,586 domains have the complete stack: DMARC at p=reject with both SPF and DKIM. The rest have gaps that attackers can exploit.
DKIM is the weakest link
Only 67.9% of domains have DKIM configured — far behind SPF (87.6%) and DMARC (71.4%). Without DKIM, forwarded email fails authentication entirely.
44.9% stalled at p=none
3339 domains have DMARC set to "monitor only" — it tells you about failures but doesn't prevent impersonation. These domains started the journey but never completed it.
3091 domains use weak DKIM keys
44% of DKIM keys found are 1024-bit or shorter. Industry best practice has moved to 2048-bit keys, as 1024-bit keys are increasingly vulnerable to brute-force attacks.
MTA-STS adoption: 0%
Not a single domain in our scan had MTA-STS configured. This protocol prevents TLS downgrade attacks on email transport — yet it remains virtually unknown in Australia.
What Full Protection Looks Like
Only 14.2% of Australian domains have all four elements in place. Here's what a fully protected domain requires:
DMARC at p=reject
Instructs receiving servers to reject unauthenticated emails claiming to be from your domain.
SPF with -all
Lists authorised sending servers and hard-fails everything else. 87.6% of domains have SPF, but many use the weaker ~all.
DKIM with 2048-bit keys
Cryptographically signs outgoing email so forwarded messages still authenticate. The weakest link at just 67.9% adoption.
DMARC Reporting (RUA)
Aggregate reports give visibility into who is sending email as your domain — essential for informed policy decisions.
How we conducted this research
In March 2026, we used DMARC Busta's domain scanner to analyse 10,586 Australian domains across 23 sectors. Each domain was scanned for DMARC, SPF, DKIM, MTA-STS, and TLS-RPT records using publicly available DNS data. No intrusion or authentication testing was performed.
Domains were selected to represent a cross-section of Australian organisations: federal, state, and local government; ASX-listed companies; banking and finance; healthcare; education (universities and schools); mining; technology; professional services; and SME businesses.
Sector composition
Get the full report
Executive Summary PDF
Key findings, sector analysis, and recommendations in a printable format.
Anonymised Dataset (CSV)
The complete dataset with per-domain scores, DMARC policies, SPF status, DKIM details, and sector classification.
Download Anonymised Dataset (10,586 domains)Domain names replaced with anonymous IDs to protect individual organisations. All scan results, scores, and sector classifications are preserved for independent verification.
Want to check your own domain?
Use our free scannerIs your domain fully protected?
DMARC Busta's Autopilot detects protocol gaps and fixes them automatically — from DMARC progression to DKIM monitoring and SPF management.
Get Started Free