Australia is currently facing a digital siege. In 2024, the Australian Signals Directorate (ASD) responded to a record 1,200+ high-priority cyber incidents; an 11% surge that has seen the average cost of cybercrime for large businesses skyrocket by 219% to over $200,000 per incident.
With a new cybercrime reported every six minutes, the Australian government has transitioned from simple recommendations to strict regulation under the Security of Critical Infrastructure (SOCI) Rules.
However, PowerDMARC’s new Australia DMARC & MTA-STS Adoption Report 2025 reveals a startling “Enforcement Gap.”
While the nation boasts high foundational adoption of security records, a fundamental paradox remains: more than half of Australian domains fail to actually enforce these protocols, leaving the economy’s “digital arteries” wide open to exploitation.
Key Insights at a Glance
- SPF Correctness: High adoption at 92.3%, showing strong baseline hygiene across most sectors.
- DMARC Enforcement: A critical failure point; 53.3% of domains do not use “p=reject,” meaning they cannot stop active spoofing attempts.
- MTA-STS (Encryption): Nearly non-existent at 5.8%, leaving sensitive communications vulnerable to “Man-in-the-Middle” (MiTM) interception.
- DNSSEC: Only 6.8% adoption, leaving the vast majority of Australian organisations susceptible to DNS hijacking and cache poisoning.
The report highlights that while Australia leads many global peers in initial setup, it remains a “Passive Leader.”
High visibility through monitoring-only policies (p=none) creates a false sense of security that does little to stop the $2 billion annual scam epidemic.
What’s at stake?
The report provides a deep dive into the sectors guarding Australia’s most sensitive data:
- Government: The leader in DMARC enforcement (70.5%), yet still hindered by a massive gap in email transit encryption.
- Banking & Finance: Despite high SPF rates, 48.4% still lack a “reject” policy, allowing scammers to perfectly mimic bank domains for “mule account” frauds.
- Healthcare: A critical blind spot, with 97.8% of domains lacking MTA-STS, risking the interception of private patient health records.
- Telecommunications & Transport: These sectors exhibit the highest risk, with some of the lowest enforcement rates (as low as 22%), inviting invoice fraud and credential theft.
The Path Forward
The 2025 data confirms that Australia has built the foundation but has yet to “finish the walls” of its digital fortress.
To move from passive monitoring to active defence, the report recommends that Australian organisations move beyond the “compliance trap” and shift toward automated, strict enforcement of DMARC and MTA-STS to align with the ASD Essential Eight maturity levels.
How PowerDMARC Supports Australian Organisations
PowerDMARC empowers Australian enterprises and government agencies to bridge the enforcement gap with a simplified, automated approach:
- Hosted DMARC: Move to p=reject confidently without risking the delivery of legitimate, critical emails.
- SPF Flattening: Eliminate “Too many DNS lookups” errors that frequently break email deliverability for large firms.
- Automated MTA-STS: Secure encrypted email transit to comply with SOCI regulations and the Privacy Act.
- AI-Threat Intelligence: Gain real-time visibility into global sources sending mail on your behalf.
“Australia has built a technical foundation that outpaces much of the world, yet the ‘Enforcement Gap’ remains a multi-billion dollar vulnerability.
The urgent imperative for 2026 is to move from passive visibility to active defense.” — Maitham Al Lawati, CEO, PowerDMARC
Australian organisations can contact PowerDMARC to bolster national cyber resilience, shielding citizens and sensitive data while upholding the gold standard of trust in Australia’s digital economy.
Government: The High-Enforcement Benchmark
Agencies are digitizing citizen services faster than they are securing the communication channels that deliver them.
About PowerDMARC
PowerDMARC is a leading email authentication and domain protection platform, offering comprehensive solutions including DMARC, SPF, DKIM, BIMI, MTA-STS, TLS-RPT, and hosted reporting with AI-powered threat intelligence.
The platform secures email ecosystems for over 10,000 organisations across more than 100 countries, including Fortune 100 companies, governments, and large enterprises.
PowerDMARC is MSP/MSSP-ready with full white-label support and holds SOC 2 Type 2, ISO 27001, and GDPR compliance certification
