Valimail Report Reveals 3 Billion Spoofed Emails are Sent Every Day

Data finds only 14% of domains worldwide truly protected from spoofing with DMARC enforcement, an increase from 2020

SAN FRANCISCO — March 22, 2021 — Valimail, the global leader in zero-trust, identity-based anti-phishing solutions, today released its latest report, “Email Fraud Landscape: Spring 2021,” finding that while the DMARC enforcement rate increases, 3 billion messages per day are still spoofing the sender’s identity. Email continues to be an effective way to communicate and use has increased during a year of global pandemic, and hackers continue to use email as a primary attack vector, stressing that email security is not going away. 

Now in its fifth year, this report analyzes trends in the adoption of Domain-based Message Authentication, Reporting and Conformance (DMARC), a vendor-neutral authentication protocol that allows email domain owners to protect their domain from unauthorized use, or “spoofing.” Valimail examined consolidated data from millions of DMARC reports collected on behalf of customers during 2020. The data represents hundreds of billions of email messages originating from tens of thousands of domains, sent to recipients using a variety of mailbox providers worldwide. 

Email remains a leading source for cybercrime, implicated in over 90% of all cyberattacks with the pandemic providing a new vantage point for these attacks. Since the beginning of COVID-19, email security providers (ESPs) reported a surge in pandemic-themed phishing attacks taking advantage of people adjusting to working from home, in environments where they’re easily distracted, with less-secure computer hardware and networks. Meanwhile, phishers readily deploy attacks, with the average phishing campaign lasting only 12 minutes, according to Google, which reports blocking 100 million phishing emails per day.

“Privacy laws already exist in Europe and parts of the United States, and if a company does any business in those areas, a DMARC policy at enforcement is essential,” said Alexander García-Tobar, CEO and co-founder, Valimail. “DMARC is not going away and the best thing a company can do is understand the potential exposure without it. By having valid email authentication in place, companies protect themselves and their customers from privacy violations. Without it, emails are sent without permission, fines are issues, confidential information is obtained and reputations sink. This wave is only a starting point. Companies must step up as the risk of going without enforcement will only get worse.”

Key takeaways from Valimail’s research includes: 

  • Three billion messages per day are spoofing the sender identity used in their “From” fields
  • Domains without DMARC enforcement are 4.75x more likely to be the target of spoofing versus domains with DMARC enforcement
  • 80% of all email inbox providers do DMARC checks on inbound email
  • More than 1.28 million domain owners worldwide have configured DMARC for their domains, but only 14% of those are protected from spoofing by an enforcement policy
  • Among large organizations, 43.4% of domains have a DMARC policy at enforcement
    • Two percentage points higher than it stood in early 2020 and 3.5 percentage points higher than in early 2019
  • The U.S. federal government leads with DMARC usage, with 74% of domains protected
  • Global media companies and U.S. healthcare companies have the lowest rates of DMARC deployment and protection 

The research was compiled by analyzing a broad cross-section of company sizes and revenues across eight different verticals. To download the full report, please visit To learn more about Valimail and its DMARC solutions, please visit