Defaults.Exposed › Reports
Can Someone Send Email Pretending to Be Your Business? For Most Domains, Yes (2026)
Published 2026-06-29
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. “Can be impersonated” means the domain does not enforce DMARC (no policy of quarantine or reject), the control that tells receiving mail servers to stop forged mail. See how we grade.
For most businesses, yes — someone can send email that looks exactly like it came from your domain. Only 10.59% of the 261 million domains we graded enforce DMARC, the single control that actually blocks impersonation. The other 89.41% leave the door open: a scammer can put your exact address in the “From” line and most inboxes will show it as genuine. This is the mechanism behind fake invoices, CEO-fraud payment requests, and supplier scams — and it costs nothing to attempt.
Can someone really send email as my domain?
If your domain doesn’t enforce DMARC, then yes. Email was designed without a built-in way to verify the sender, so the “From” address is trivial to forge. Three settings, layered, fix it — SPF, DKIM, and DMARC — but only the last one, set to enforce, tells the receiving server to actually reject or quarantine a forgery. As of 2026-06-29:
- 75.11% of domains have no DMARC record at all.
- 14.29% have a DMARC record set to monitor-only (
p=none) — it looks like protection in an audit, but it tells receivers to do nothing, so spoofed mail still lands. - Only 10.59% enforce a policy of
quarantineorreject— the configuration that stops impersonation.
So 89.41% of domains — more than eight in ten — can be impersonated in email today.
”But we have SPF” — why that isn’t enough
This is the most common and most dangerous misconception. 53.21% of domains publish an SPF record, far more than the 10.59% that enforce DMARC. Owners see SPF and assume they’re covered. They aren’t: SPF (and DKIM) check the technical sending path, but they do not govern the “From” address a human actually sees. Without DMARC set to enforce, an attacker can still pass SPF on their own infrastructure and forge your visible address. SPF is necessary plumbing; DMARC enforcement is the lock.
How exposed is your corner of the web?
Enforcement varies widely by domain ending. Higher is better — it’s the share of domains that actually block impersonation. As of 2026-06-29:
| Domain ending | DMARC-enforcing | Can be impersonated |
|---|---|---|
| .nl (Netherlands) | 29.43% | 29.43% protected, rest exposed |
| .de (Germany) | 21.38% | — |
| .in (India) | 19.26% | — |
| .uk (United Kingdom) | 13.42% | — |
| .com | 9.50% | the most-used ending sits below the 10.59% global average |
| .net | 10.08% | — |
| .org | 10.01% | — |
| .xyz | 5.15% | — |
| .top | 3.17% | — |
| .cn (China) | 1.45% | the lowest of the major endings |
Even the best-performing large ending protects under a third of its domains. On .com — where most businesses live — only 9.50% enforce DMARC.
What this actually costs a business
Email impersonation is the mechanism behind some of the costliest online crime reported to law enforcement worldwide — business email compromise. The pattern is always the same:
- A customer gets an “invoice” from your address with the scammer’s bank details, pays it, and discovers the fraud weeks later — often treating it as your failure.
- A staff member gets an urgent “from the boss” request to move money or buy gift cards. The address is genuinely yours, so they comply.
- A supplier is told “our bank details have changed” in an email that passes every visual check.
None of this requires hacking your systems. It only requires that your domain doesn’t enforce DMARC — which, for 89.41% of domains, it doesn’t.
How to tell if you’re protected (and fix it)
You can’t tell from the outside whether you’re in the 10.59% — the only way to know is to check your domain. The fix is free and usually takes an afternoon, done in order: publish SPF and DKIM, then move DMARC to enforcement (p=none → quarantine → reject). The last step is the one that actually closes the door.
Frequently asked questions
Can someone send an email pretending to be my company? If your domain does not enforce DMARC (a policy of quarantine or reject), yes — your exact “From” address can be forged and most inboxes will show it as genuine. As of 2026-06-29, 89.41% of graded domains are in this state.
We already have SPF — aren’t we safe?
No. SPF checks the technical sending path but not the visible “From” address. 53.21% of domains publish SPF, but without DMARC set to enforce, your address can still be forged. You need DMARC at quarantine or reject.
Isn’t a DMARC record enough?
Only if it enforces. A record set to p=none (monitor-only) — which 14.29% of domains use — does nothing to stop spoofing. Only quarantine or reject does, and just 10.59% of domains get there.
How do I check my own domain? Run a free, private check (below). We only ever show a domain’s result to its verified owner.
Is fixing this expensive? No. SPF, DKIM and DMARC are free DNS settings. The cost is the time to set them in the right order, not money.
Check whether your domain can be impersonated
Don’t guess which side of the 10.59% you’re on. Check your domain privately and free — you’ll see your DMARC, SPF and DKIM status and exactly what to fix.
Check your domain → · Fix DMARC → · Fix SPF → · How we grade → · Aggregate data only. Data stored and processed in the EU.