DMARCPulse
Start free trial
All posts

DACH Email Security Report 2026: 503 Domains Analyzed

DMARCPulse Team
Email SecurityDMARCSPFMTA-STSDNSSECReport

Why We Did This

Most email security reports focus on the US, UK, or global averages. The DACH region — Germany, Austria, and Switzerland — is underrepresented, despite being home to some of Europe’s largest enterprises, most sensitive government infrastructure, and leading research institutions.

We wanted to know: How well are DACH organizations actually protecting their domains against email spoofing and interception?

To find out, we analyzed 503 domains across 16 industries and 3 countries using public DNS queries. We checked four protocols: SPF, DMARC, MTA-STS, and DNSSEC.

Key Findings

The Good News

  • 97.0% of domains have an SPF record
  • 87.3% have a DMARC record
  • Switzerland leads with 73.7% DMARC enforcement

The Bad News

  • Only 56.3% actually enforce their DMARC policy (p=quarantine or p=reject)
  • 31.0% of all domains sit at p=none — monitoring but not protecting
  • MTA-STS adoption is just 8.2% — leaving 91.8% of domains vulnerable to TLS downgrade attacks
  • DNSSEC reaches only 15.7%

Country Comparison

MetricGermany (327)Austria (77)Switzerland (99)
SPF96.9%94.8%99.0%
DMARC86.2%84.4%92.9%
Enforcement53.5%45.5%73.7%
p=reject36.1%27.3%43.4%
MTA-STS9.8%5.2%5.1%
DNSSEC14.7%14.3%20.2%

Switzerland outperforms the region in nearly every metric. Austria trails with the lowest enforcement rate at 45.5%. Germany leads in MTA-STS adoption at 9.8%, likely driven by its larger share of global enterprises with mature security programs.

The Enforcement Gap by Industry

The most striking finding is how wide the gap between DMARC adoption and enforcement varies across industries.

Strongest enforcement:

  • Consumer brands: 87.0%
  • Retail: 74.1%
  • Chemicals: 73.3%
  • Industrials: 71.7%

Weakest enforcement:

  • Education: 26.2% (despite 87.7% adoption)
  • Telecommunications: 38.5%
  • Government: 42.9% (despite 77.1% adoption)
  • Media: 44.7%

The education sector stands out: nearly 9 in 10 university domains have DMARC, but only 1 in 4 enforce it. This means the vast majority of universities are watching spoofing happen without blocking it.

Government domains tell a similar story. Major German cities like Berlin, München, Frankfurt, Düsseldorf, and Dresden all remain at p=none. Several German federal states have no DMARC enforcement in place.

MTA-STS: Almost Nobody Uses It

MTA-STS (Mail Transfer Agent Strict Transport Security) enforces TLS encryption for inbound email. Without it, an attacker can intercept SMTP connections and strip away encryption.

Only 41 out of 503 domains (8.2%) have MTA-STS enabled. The media sector has 0% adoption. Notable adopters include Allianz, BASF, Bosch, Commerzbank, Deutsche Bahn, E.ON, Roche, and SBB.

Who’s Missing?

Several high-profile organizations have no DMARC record at all, including Charité (Berlin’s university hospital), ETH Zürich, Max-Planck-Gesellschaft, DZ Bank, BayernLB, Fraport, DPD, and multiple German cities and federal states.

Major organizations stuck at p=none (monitoring only) include Volkswagen, Rheinmetall, Deutsche Bahn, Sparkasse, Bayer, Hannover Rück, Zalando, Lidl, Fraunhofer, and many more.

What Needs to Change

  1. Move beyond p=none. Monitoring mode provides data but zero protection. Commit to a timeline for enforcement.
  2. Deploy MTA-STS. At 8.2% adoption, it’s the most under-deployed protocol. Setup is straightforward: a DNS record and a policy file.
  3. Enable DNSSEC. Only 15.7% of domains have it. Contact your DNS provider to enable signing.
  4. Prioritize government and education. These sectors handle the most sensitive data yet have the weakest enforcement.
  5. Automate monitoring. DMARC is not a one-time project. New services, SPF changes, and DKIM rotation require continuous attention.

Download the Full Report

The complete report with detailed breakdowns by country, industry, and individual domain findings is available as a free PDF download.

Download PDF Report (free)

DMARCPulse helps organizations close the enforcement gap. Instead of generic warnings like “SPF failed,” DMARCPulse delivers actionable recommendations — specific DNS values you can copy and paste. Start your free 14-day trial.

Methodology

503 domains were selected from public stock indices (DAX, MDAX, SDAX, TecDAX, ATX, SMI), government directories, universities, hospitals, media outlets, and major private companies. DNS queries were performed using public resolvers on April 9, 2026. Only publicly observable records were analyzed.

Summary

  • 503 DACH domains analyzed across 16 industries
  • SPF adoption at 97.0%, DMARC at 87.3% — but enforcement at only 56.3%
  • Switzerland leads (73.7% enforcement), Austria trails (45.5%)
  • Education has the widest enforcement gap: 87.7% adoption, 26.2% enforcement
  • MTA-STS adoption at 8.2%, DNSSEC at 15.7%
  • Major enterprises, government bodies, and universities remain unprotected