Email spoofing attacks are still a major threat for FTSE 100 companies – despite a simple fix being widely available

Almost a third of FTSE 100 organizations are still vulnerable to email spoofing attacks, according to research by Hornetsecurity.
The findings come in spite of the widespread availability of domain-based message authentication, reporting & conformance (DMARC) tools, which perform last-mile checks on emails to ensure they come from legitimate domains and aren’t malicious in nature.
Speaking at Infosecurity Europe 2025, Romain Basset, director of customer services at Hornetsecurity, said the lack of focus on DMARC highlights a lack of understanding at many organizations.
“DMARC will ensure recipients have a policy when either SPF or DKIM has failed, what to do when authentication has failed, ‘what do I do with that email?” Basset explained.
Hornetsecurity analyzed the DNS records of the FTSE100 and found that more than 30% lack properly configured DMARC solutions, to the extent that emails which return a failed authentication check can still make their way through to users’ inboxes.
A select few companies, Basset added, had no DMARC at all. This allows attackers to successfully carry out all manner of email-based cyber attacks on employees at the firms they’re faking, as well as to attack customers using the legitimacy of the faked company as a front for carrying out attacks.
How to properly use DMARC
When it comes to using DMARC properly, Basset said security teams can struggle with configuring it correctly, which requires back-to-front understanding of one’s domain and all its authorized senders.
“Imagine you have an HR solution sending out emails, you have a marketing platform sending out emails to prospects, you have Salesforce maybe for your sales reps and your partners if you’re a business, your invoicing tool – all of these platforms are going to send emails with your domain,” Basset explained.
“Now imagine you also have a subsidiary in Europe, using different tools, different domains, you’re starting to see the complexity of identifying all the standards for legitimate senders allowed to use your domains as well as maintaining that all the time.”
Basset added that DMARC reports can be incredibly dense and hard to aggregate for data-driven decision making. He suggested that when it comes to adopting DMARC, leaders consider its business value as well as its importance to security, such as ensuring that expensive lead generation campaigns don’t get sent to customers’ spam folders.
DMARC complements sender policy framework (SPF) and DomainKeys identified mail (DKIM), which help establish who within an organization can send an email and whether the sender is who they claim to be, respectively.
DKIM can also be used to determine whether emails have been altered for malicious purposes but neither is a foolproof method for determining the legitimacy of an email – and this is where DMARC comes in.
Hornetsecurity is one of a number of cybersecurity companies to offer its own integrated DMARC solution to cut down on some of the manual processes involved in establishing email controls and analyzing email traffic data.
DMARC isn’t a silver bullet for all email attacks
Despite the important role DMARC plays in any organization’s security toolkit, Basset stressed that it cannot protect against hackers compromising email accounts altogether.
“A compromised account is a different story,” Basset told ITPro.
“I don’t think this tracing is a silver bullet against compromised accounts because everything checks out at the email authentication level, right? It’s going to be from your email address to my email address,” he added.
“Whereas when I’m spoofing, then it’s going to be from someone pretending to be you but it’s not going to be your actual email address – and that’s where DMARC email authentication will work.”
Basset noted that in the case of account compromise, security teams will need to fall back on cybersecurity awareness training and business processes that prevent attacks from succeeding such as requiring payment requests to be confirmed via phone call.
He also told ITPro that security teams can use approaches such as “impossible travel checks”, which flag situations in which employees seemingly connect from two different locations in the world in a very short period of time.
MORE FROM ITPRO
Source link