The State of DMARC Adoption in Australia
We scanned 3,930 of Australia's most important domains. Here's what we found.
Australia is half-protecting its email domains
Our research reveals a critical disconnect: while 68.7% of Australia's top 3,930 domains have a DMARC record, only 14.7% have the complete authentication stack needed for real protection — DMARC at p=reject, SPF, and DKIM all working together.
Having DMARC without DKIM is like locking the front door but leaving the back open. DMARC policies rely on SPF or DKIM alignment to pass — but without DKIM, forwarded emails will fail authentication entirely. Yet 29.5% of the domains we scanned have DMARC configured but no detectable DKIM record.
The gap varies dramatically by sector. State Government leads with an average score of 66/100, while Education - Schools trails at just 40/100. Even among top performers, DKIM adoption remains the weakest link — suggesting that many organisations set up DMARC and SPF but never completed the last step.
Why This Matters Now
Australia's email security gap isn't just a technical problem — it's a regulatory and business risk that's growing.
In 2024, Google and Yahoo began enforcing DMARC requirements for bulk email senders, rejecting messages from domains without proper authentication. Microsoft followed with similar enforcement for Outlook.com in 2025. For Australian businesses sending marketing emails, invoices, or transactional messages, failing to implement DMARC now means emails going to spam — or not being delivered at all.
Meanwhile, the Australian Signals Directorate (ASD) recommends DMARC at p=reject
as part of its email hardening guidance, and the ACSC's strategies to mitigate cyber security
incidents specifically call for hard-fail SPF and DMARC records. The Notifiable Data Breaches
(NDB) scheme means that domain spoofing incidents can trigger mandatory breach notifications
under the Privacy Act.
Globally, DMARC adoption among top domains reached approximately 47.7% in 2025. Australia
sits above this at 68.7% — but that headline number masks the real problem. Only 26.2%
enforce at p=reject, and just 14.7% have the complete authentication stack.
Australia has started the journey but hasn't finished it.
Cyber Bodies Recommend DMARC in Australia
Australian Cyber Security Centre
“Enable SPF, DKIM, and DMARC to protect against spoofing.”
Victorian State Government
The government is currently rolling out DMARC across all agencies.
Australian Signals Directorate
“Use a ‘reject’ policy for complete protection.”
Notifiable Data Breaches Scheme
“Spoofing can trigger breach notifications under the Privacy Act.”
How does your industry compare?
22 sectors ranked by average email security score
| # | Sector | Domains | Has DMARC | p=reject | Has SPF | Has DKIM | Avg Score |
|---|---|---|---|---|---|---|---|
| 1 | State Government | 125 | 89% | 62% | 89% | 49% | 66 |
| 2 | Federal Government | 103 | 90% | 59% | 90% | 39% | 63 |
| 3 | Education | 88 | 90% | 36% | 94% | 50% | 63 |
| 4 | Not-for-Profit | 50 | 78% | 28% | 86% | 62% | 62 |
| 5 | Local Government | 312 | 80% | 45% | 80% | 54% | 60 |
| 6 | Religious & Community | 10 | 80% | 20% | 100% | 50% | 60 |
| 7 | Banking & Finance | 218 | 78% | 38% | 86% | 43% | 58 |
| 8 | Technology | 243 | 73% | 25% | 87% | 50% | 57 |
| 9 | Professional Services | 110 | 76% | 32% | 85% | 37% | 56 |
| 10 | Transport & Logistics | 78 | 78% | 42% | 79% | 38% | 55 |
| 11 | Construction | 126 | 70% | 25% | 83% | 44% | 55 |
| 12 | Media & Entertainment | 82 | 72% | 30% | 87% | 45% | 55 |
| 13 | Retail & Consumer | 247 | 69% | 25% | 83% | 40% | 54 |
| 14 | Energy & Utilities | 203 | 64% | 19% | 80% | 38% | 50 |
| 15 | Peak Body & Association | 62 | 63% | 11% | 79% | 52% | 50 |
| 16 | ASX Listed | 58 | 66% | 24% | 76% | 34% | 50 |
| 17 | Mining & Resources | 835 | 60% | 12% | 85% | 31% | 49 |
| 18 | SME Business | 380 | 63% | 23% | 76% | 35% | 48 |
| 19 | Travel & Hospitality | 72 | 63% | 29% | 75% | 31% | 48 |
| 20 | Healthcare | 295 | 64% | 21% | 73% | 32% | 46 |
| 21 | Real Estate | 117 | 56% | 20% | 66% | 27% | 40 |
| 22 | Education - Schools | 116 | 53% | 17% | 56% | 41% | 40 |
Key Findings
31.3% completely unprotected
Nearly a quarter of Australia's key domains have no DMARC record at all — leaving them fully exposed to impersonation and phishing attacks.
Only 14.7% fully protected
Just 576 of 3,930 domains have the complete stack: DMARC at p=reject with both SPF and DKIM. The rest have gaps that attackers can exploit.
DKIM is the weakest link
Only 39.2% of domains have DKIM configured — far behind SPF (81.1%) and DMARC (68.7%). Without DKIM, forwarded email fails authentication entirely.
36.7% stalled at p=none
991 domains have DMARC set to "monitor only" — it tells you about failures but doesn't prevent impersonation. These domains started the journey but never completed it.
934 domains use weak DKIM keys
48% of DKIM keys found are 1024-bit or shorter. Industry best practice has moved to 2048-bit keys, as 1024-bit keys are increasingly vulnerable to brute-force attacks.
MTA-STS adoption: 0%
Not a single domain in our scan had MTA-STS configured. This protocol prevents TLS downgrade attacks on email transport — yet it remains virtually unknown in Australia.
What Full Protection Looks Like
Only 14.7% of Australian domains have all four elements in place. Here's what a fully protected domain requires:
DMARC at p=reject
Instructs receiving servers to reject unauthenticated emails claiming to be from your domain.
SPF with -all
Lists authorised sending servers and hard-fails everything else. 81.1% of domains have SPF, but many use the weaker ~all.
DKIM with 2048-bit keys
Cryptographically signs outgoing email so forwarded messages still authenticate. The weakest link at just 39.2% adoption.
DMARC Reporting (RUA)
Aggregate reports give visibility into who is sending email as your domain — essential for informed policy decisions.
How we conducted this research
In March 2026, we used DMARC Busta's domain scanner to analyse 3,930 Australian domains across 22 sectors. Each domain was scanned for DMARC, SPF, DKIM, MTA-STS, and TLS-RPT records using publicly available DNS data. No intrusion or authentication testing was performed.
Domains were selected to represent a cross-section of Australian organisations: federal, state, and local government; ASX-listed companies; banking and finance; healthcare; education (universities and schools); mining; technology; professional services; and SME businesses.
Sector composition
Get the full report
Executive Summary PDF
Key findings, sector analysis, and recommendations in a printable format.
Raw Data (CSV)
The complete dataset with per-domain scores, DMARC policies, SPF status, DKIM details, and sector classification.
Download CSV (3,930 domains)Want to check your own domain?
Use our free scannerIs your domain fully protected?
DMARC Busta's Autopilot detects protocol gaps and fixes them automatically — from DMARC progression to DKIM monitoring and SPF management.
Get Started Free