New Study: Only 42% of Mass. Orgs Fully Enforce DMARC

More than half of Massachusetts's largest organizations remain exposed to phishing and domain spoofing — because they haven't fully enforced the email authentication standard that would stop it. A new cybersecurity analysis puts a precise number on that exposure, and the findings should alarm every business owner, marketer, and security team that sends email under a corporate domain.

The Findings: A Majority Still Exposed

A review of the 100 largest Massachusetts corporations, nonprofits, and public agencies shows only 42% have fully enforced the email authentication standard known as DMARC, per the cybersecurity firm Red Sift.

According to Axios Boston, the breakdown across the Massachusetts sample is stark:

• 26% have some enforcement in place, such as quarantining questionable emails.
• 28% aren't enforcing DMARC at all — they're only passively monitoring and reporting fake emails.
• 4% have no email security protocol in place whatsoever.

The pattern holds beyond Massachusetts. Red Sift analyzed 700 domains across seven states and found that 43% hadn't enforced or didn't have DMARC protocols, while only 35% reported full enforcement.

That gap is especially significant in Massachusetts, which sits at the center of U.S. healthcare, biotechnology, higher education, financial services, and defense — industries where trust-based, high-stakes communication relies heavily on email.

"If you send email, you're a target," says Brian Westnedge, Vice President of Alliance and Partnerships at Red Sift.

Why "Some" Enforcement Isn't Enough

DMARC — Domain-based Message Authentication, Reporting and Conformance — is a DNS policy that tells receiving mail servers what to do with messages that fail authentication checks. It can reject or quarantine spoofed emails, ensuring that the messages reaching an inbox actually come from the organization they claim to represent.

The problem is that publishing a DMARC record is not the same as enforcing one. Many businesses publish DMARC records with a policy of p=none — this provides visibility but doesn't stop spoofed emails from reaching inboxes.

Many organizations settle on a compromise by leaving DMARC in quarantine mode, in which unauthenticated messages are not rejected but instead sent to spam folders. However, experts warn that this is not a true safeguard — users can, and often do, retrieve messages from junk folders, especially if they appear to come from trusted contacts. That creates a persistent risk of successful phishing or fraud.

The Broader Authentication Crisis

The Massachusetts study isn't an anomaly — it reflects a systemic global problem. Q2 2025 analysis indicates that only about 18% of the world's 10 million most-visited domains publish a valid DMARC record, and just around 4% fully enforce a reject policy.

A clear maturity gap has emerged: large enterprises are moving further toward enforcement, while many high-growth companies remain stuck in monitoring-only mode. Even among Fortune 500 companies, adoption reached 475 out of 500 companies, but more than 80% had reached enforcement-level policies — meaning even at the top tier, one in five had not crossed the enforcement threshold.

The financial stakes are severe. Gartner reports business email compromise (BEC) payments crossed the $6 billion threshold in 2024, and the inbox remains "the most prevalent attack surface" because employees must interact with outsiders over old, insecure protocols. Meanwhile, the average cost of a phishing-related breach reached $4.88 million in 2025.

According to Cloudflare's 2026 threat report, 46% of all emails fail DMARC validation, highlighting just how much unauthenticated traffic still flows through global systems.

Mailbox Providers Are Forcing the Issue

The pressure to enforce DMARC is no longer optional — it now comes directly from the platforms that deliver email. Google, Yahoo (February 2024), Microsoft (May 2025), and La Poste (September 2025) now require SPF, DKIM, and DMARC authentication for bulk email senders.

In October 2025, Google retired the legacy Postmaster Tools dashboard and launched Postmaster Tools v2, shifting focus from "Reputation" to "Compliance Status," evaluating senders using a binary model — a fundamental change in how Google communicates sender health. The binary model means partial compliance delivers the same result as no compliance: failure.

Nearly half of Boston's largest employers have not implemented full email security enforcement, leaving many local institutions exposed to phishing and brand impersonation attacks. Boston now trails sister cities like New York City and Washington, D.C. on adoption, even as email threats become easier to scale using AI.

What This Means

For business owners, marketers, and growth teams, the Red Sift findings are a direct deliverability and brand-safety warning.

Marketing teams have long optimized for open rates, click-through rates, and conversion metrics. Under Google's enforcement model, none of those metrics matter if your email never reaches the inbox.

The business impact of weak authentication is broad: reduced inbox placement, eroded sender reputation, blocked emails at major receiving servers, and direct financial loss from credential theft and invoice scams.

While Massachusetts's sample covers only a fraction of the state's companies, Red Sift notes the survey offers a glimpse of the email security posture businesses actually have in place — and if the state's largest organizations haven't fully adopted stronger protections, chances are small businesses with fewer IT resources haven't either.

The path forward is well-established: move from p=none to p=quarantine to p=reject, ensure every third-party sending platform is authenticated, and monitor DMARC aggregate reports continuously. Companies must adopt authenticated, automated, and identity-first email security to protect their domains, maintain deliverability, and preserve customer trust.

The enforcement gap is measurable. The consequences are real. The fix is available — but only for organizations that act now.