Key findings from our latest SMX Regional DMARC Survey

DMARC Survey 2022 Hero

The results are in deployment rates are improving, but there’s more work to be done

For the past three years, SMX has been monitoring the uptake rates of DMARC in Australia and New Zealand to help raise awareness of this critical email security standard.  
Our latest report, SMX Regional DMARC Survey 2022, shows that DMARC deployment continues to get good traction among the organisations that stand to benefit the most from its security improvements. This year also marks the 40th anniversary of email – DMARC is the most important security upgrade to this legacy internet service since RFCs were introduced in 1982.  
Here’s a quick breakdown of the survey’s results:

NZ government agencies 
Back in 2020 when we first started this survey, less than 20% of NZ government agencies had deployed DMARC. This year, the sector has passed a major milestone with more than 50% of agencies having a valid DMARC record in place – an increase of 17% from last year’s results.  
The top 100 NZ organisations 
Almost 60% of the largest companies in New Zealand have DMARC implemented, one of the highest penetration rates of all the sectors we monitor. However, this still leaves almost 40% of large enterprises without DMARC – and at risk of email spoofing and forgery attacks. 
Australian federal government 
Since 2020, the number of Australian federal government agencies has reduced by half, from 42% to 21%. This now means almost 75% of agencies have DMARC in place – 1.5 times the rate of NZ government agencies. There are far fewer Australian federal agencies but this is still a huge effort that should be recognised. 
ASX-listed companies 
In 2021, we added the ASX-listed companies to our annual survey. In the past year, there has been an almost 8% increase in DMARC deployment for this group. However, even with that traction, more than 70% of Australia’s largest companies are still without DMARC, a concerningly low uptake rate that leaves many companies exposed and their digital assets at risk.  
All SMX customers 
Since our first regional DMARC survey in 2020, DMARC deployment among SMX’s customers has increased three-fold. In 2022, almost 15% of SMX’s customers have deployed DMARC. There is still a lot of work to be done, but the DMARC trend is heading in the right direction (even if it’s a little slower than we would like). 
Sending to SMX customers 
Unfortunately, this segment of domains is showing the least movement over the past two years, with 95% without DMARC over that period. While we acknowledge there has been some progress, this segment shows that many still don’t recognise the benefits that DMARC can deliver for their organisations and their customers’ security.

Moving in the right direction

Overall, there has been some good progress made across all major segments we monitor. That’s great news – it means more and more organisations have become aware of the benefits that properly-configured DMARC can deliver for their domains and digital assets.  

Additionally, we can see that as organisation’s become aware of DMARC and roll it out on their domains, they all follow the standard pathway of moving to reporting only mode first to get comfortable with DMARC and its dependencies, before moving to enforcement mode. This tried and tested migration pathway provides organisations with a reliable method to achieve DMARC compliance without risking email delivery failures. 

But for organisations with P=none may be stuck in reporting mode and unsure how to move to enforcement mode. This is where we see that the use of reporting tools alone, will result in actionable insights. 

The results of the regional DMARC survey are encouraging and worth celebrating, but there is still a lot of work to be done so the domains and digital assets of some of our largest organisations are protected and fully trusted.


Find out more: SMX Domain Protection Service

Report highlights: 

  • The NZ government sector shows the biggest increase out of all sectors surveyed – 50% of agencies now have DMARC in place. At this current pace, all NZ government agencies should have DMARC deployed by 2026. 
  • However, only 30% of ASX-listed companies have implemented DMARC. This means more than 70% of Australia’s largest companies are still without DMARC and are therefore potentially exposed to email spoofing and forgery attacks. 
  • Looking at the top 100 NZ companies, almost 60% now have a working DMARC record. 
  • 95% of the rest of the market doesn’t have DMARC implemented. That means there is still a lot of work to be done to close the gaps. 


For more detailed sector analysis, download the full results summary: 

SMX Regional DMARC Survey 2022