SINGAPORE, 21 February 2025 — Despite rising threats and high-profile security mandates, only 12% of leading companies in the Asia Pacific region have implemented the strongest level of email authentication, according to new research by cybersecurity and compliance firm Proofpoint.
The analysis, which studied Domain-based Message Authentication, Reporting and Conformance (DMARC) records of Forbes Global 2000-listed firms across APAC, reveals a concerning gap in email fraud protection. As phishing attempts surged by nearly 60% in 2024, the findings highlight the pressing need for stricter authentication protocols to prevent spoofing and impersonation.
DMARC is a globally recognised protocol designed to protect email domains by authenticating senders before messages reach inboxes. It operates at three protection levels—monitor, quarantine, and reject—with “reject” offering the highest assurance against spoofed emails.
DMARC implementation across the region remains patchy. While Australia sets the pace with full adoption and 71% of its companies enforcing the strongest policy, other major markets lag significantly:
Singapore: 46.2% of organisations use a reject policy, but nearly a quarter have no DMARC record at all.
India: Half of top firms have adopted the reject setting, while 11.8% lack any DMARC record.
Japan: Only 7.4% have set policies to reject spoofed emails.
South Korea: None of the evaluated companies have implemented the reject level, and more than half have no DMARC in place.
Thailand: 17.6% of organisations use the reject policy.
China: Just 4.2% enforce the strictest level, with 71.8% offering no protection.
The data suggests that many companies across Asia Pacific are exposed to risks such as phishing, business email compromise (BEC), and brand impersonation.
Industry momentum is building to change this. In October 2023, Google, Yahoo, and Apple announced mandatory authentication for bulk email senders to reduce spam and fraud. Meanwhile, regulatory requirements are tightening. By March 2025, PCI DSS v4.0.1 will mandate DMARC implementation for companies handling payment card data.
Proofpoint recommends a three-pronged strategy for organisations seeking to bolster email security:
Enforce DMARC at the Reject Level – Protect domains from being misused for impersonation.
Conduct Employee Training – Help teams recognise phishing and impersonation attempts.
Adopt Strong Password Practices – Require secure, unique credentials and regular updates.
The study, based on December 2024 data, underscores the importance of proactive cybersecurity measures amid escalating digital threats.
To explore Proofpoint’s DMARC resources, visit: https://www.proofpoint.com/au/threat-reference/dmarc
