GMO Brand Security Research: State of Email Security Among Leading Brands

GMO Brand Security Inc. (President and COO: Mitsuaki Nakagawa; hereinafter “GMO Brand Security”), a member of the GMO Internet Group, has conducted a survey on the implementation status of SPF (*1) and DMARC (*2)—key technologies for preventing email spoofing. The survey analyzed a total of 7,600 domains owned by the Global Top 50 and Japan’s Top 50 brands selected in Interbrand’s "Best Global Brands 2025" and "Best Japan Brands 2025."

The survey revealed a significant gap in email security: while 23.1% of domains owned by Global Top 50 brands have both SPF and DMARC "appropriately" configured, this figure drops to a mere 4.8% for domains owned by Japan’s Top 50 brands—representing a nearly 4.8-fold disparity. Domains not classified as "appropriate" are in a vulnerable state due to missing or incorrect SPF/DMARC settings. These domains are considered "high-risk," as they allow malicious actors to easily send spoofed emails using the brand’s name.

(*1) SPF (Sender Policy Framework) A technology that publishes the IP addresses of authorized sending servers in advance to verify if an email was sent from a legitimate source. While relatively easy to implement, it has a weakness where authentication is prone to failure if the email is forwarded.

(*2) DMARC (Domain-based Message Authentication, Reporting, and Conformance) A mechanism that allows senders to provide instructions (policies) on how to handle emails that fail SPF or DKIM authentication. There are three policy levels: none (monitoring only), quarantine (moving to spam), and reject (blocking the email). DMARC is the cornerstone of preventing brand impersonation.

For more details, please visit (Japanese only): https://brandsecurity.gmo/news/post/post-20260406/