Understanding email security statistics
These statistics provide a snapshot of how the world's largest listed companies protect their email infrastructure. Each metric tracks a specific email security standard and shows the percentage of companies that have deployed it correctly.
Key metrics explained:
- DMARC reject - Percentage of companies with a DMARC policy set to
p=reject, the strictest enforcement level - Strict SPF - Percentage of companies with an SPF record ending in
-all(hard fail), blocking unauthorized senders - BIMI configured - Percentage of companies with a BIMI record, enabling logo display in recipients' inboxes
- MTA-STS enforce - Percentage of companies with MTA-STS in
enforcemode, requiring TLS encryption for inbound email
How to interpret the data
Index-level comparison
Each stock index represents a national or regional sample of major companies. Comparing indices reveals global differences in cybersecurity priorities and regulatory influence.
Sector-level breakdown
Within each index, companies are grouped by industry sector. This reveals whether specific industries (e.g., banking, technology) systematically outperform others in email security.
Score distribution
The grade distribution shows how scores spread across companies. A healthy distribution skews toward A+/A. A wide spread from A+ to F indicates significant disparity in security maturity.
FAQ - Frequently asked questions
Q: What do the adoption percentages mean?
A: Each percentage represents the share of companies that have deployed a given standard correctly.
Q: Why do rates vary between indices?
A: Regulatory environments, industry composition and cybersecurity maturity differ across countries.
Q: What is the most important metric?
A: DMARC with a reject policy is the single most impactful email security control.
Related pages
| Page | Purpose |
|---|---|
| Observatory Dashboard | Overall observatory overview with top and bottom companies |
| Email Domain Check | Audit your own domain's email security |