Email remains the most exploited attack vector for cybercriminals and disinformation campaigns, even as organizations race to implement defenses, a new report from Valimail has revealed.
The 2025 Disinformation and Malicious Email Report highlights that artificial intelligence has supercharged phishing attacks, while gaps in domain protection have left organizations across a range of industries dangerously exposed.
“In 2024, we witnessed some of the most sophisticated email-based attacks in history,” said Al Iverson, Industry Research and Community Engagement Lead at Valimail. “Cybercriminals are exploiting weaknesses in email systems with increasing precision, eroding trust in digital communications.”
AI Drives Attacks
The report identifies a significant uptick in the success rate of phishing and spoofing attacks, primarily driven by AI-generated emails that lack the typical signs of forged communications, such as poor grammar, spelling, or inconsistent formatting. What’s more, AI allows cybercriminals to craft these communications at an unprecedented speed and scale.
These increasingly convincing campaigns make it harder for even seasoned professionals to spot fraud, drastically raising the stakes for organizations lacking robust email security.
DMARC Adoption Grows, But Enforcement Lags
According to the Valimail report, 7.2 million domains now have a published DMARC report. However, nearly half of these domains lack adequate protection, with many using a p=none policy that monitors but fails to block unauthorized messages.
“What’s particularly concerning,” said Alexander García-Tobar, co-founder and CEO of Valimail, “is that many organizations have implemented DMARC but stopped short of enforcement, creating a false sense of security while leaving them open to impersonation attacks that can damage reputation and customer trust.”
DMARC Protection by Industry
A breakdown of industry-specific adoption rates reveals stark gaps in readiness:
- Online Retail: Leads with 94% DMARC adoption.
- Financial Services: 80% adoption, but a third of domains lack strong enforcement.
- Healthcare and Higher Education: Particularly vulnerable, with high percentages of domains left unprotected.
According to the report, the key takeaway is that, while many sectors boast high adoption rates, this often masks concerningly weak protection rates – essentially, many domains are monitoring but not blocking malicious email.
Compliance Pressure Mounts
Valimail also highlights the growing regulatory pressure organizations face. Mandatory DMARC policies from major email providers, including Google, Yahoo, and Microsoft, mean that non-compliant organizations risk having their emails filtered, blocked, or relegated to spam folders.
Moreover, regulatory bodies operating in sectors handling sensitive data, such as finance, healthcare, and government services, are increasingly mandating DMARC implementation as part of wider security efforts. For example, standards from NIST and the Department of Homeland Security (DHS) now explicitly recommend or require DMARC for organizations working with critical infrastructure or public-facing services.
Recommendations
Valimail argues that, when implemented with proper enforcement, DMARC can prevent approximately 90% of spoofing attacks. According to the report, it is a foundational, scalable, and future-proof solution for security outbound and inbound email communications in an era of AI-driven cybercrime.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.