As manufacturers digitize and connect more deeply with global partners, email remains the quiet but crucial backbone of their operations, powering procurement, logistics, compliance, and supplier coordination. Yet while more than 90 percent of top manufacturing domains have published a DMARC (Domain-based Message Authentication, Reporting & Conformance) record, the actual protection rate across the manufacturing segment is significantly lower, at only 60.6 percent.
This partial implementation creates a dangerous illusion of security. Without enforcement in place, fraudulent emails that appear to come from a legitimate domain can pass through email gateways undetected. Spoofed invoices, fake purchase orders, and supplier impersonation schemes are not theoretical risks—they’re real-world tactics that continue to disrupt operations and drain millions from vulnerable industrial organizations. And in a sector built on precision and trust, a single breach can fracture vital supply chain relationships.
DMARC Awareness, But No Protection
Publishing a DMARC record is a meaningful first step; it signals awareness and a desire to protect the brand. But stopping at “p=none” is like installing a security system but never turning it on. Attackers can still forge email headers, impersonate senders, and deliver malicious messages to unsuspecting recipients. Worse, this half-measure can lull IT and compliance teams into thinking the domain is protected, when in reality, it’s still wide open to abuse.
Valimail’s research across manufacturing domains shows that while adoption is high, enforcement still lags. Nearly one-third of domains fail to implement a policy of “quarantine” or “reject,” leaving critical channels vulnerable. Compounding the problem, some domains lack reporting entirely—omitting the RUA tag that would provide visibility into unauthorized senders and authentication failures.
Source: Valimail 2025 Disinformation and Malicious Email Report
For manufacturers, email impersonation isn’t just an IT issue—it’s an operational hazard. Consider a forged message appearing to come from a trusted supplier, instructing a warehouse manager to reroute a shipment. Or a spoofed invoice that convinces an AP clerk to authorize a fraudulent payment. These attacks blend into the day-to-day cadence of industrial communication and often go unnoticed until the damage is done and money is lost.
Because many manufacturers operate with decentralized infrastructure across regions, business units, and external vendors, attackers exploit these gaps, targeting the soft edges of the organization where trust is assumed but not always verified.
From Monitoring to Protection, Without Breaking Everything
The good news: transitioning to a protective DMARC policy is entirely manageable and doesn’t have to risk deliverability or business continuity. Here’s how:
- Start with inventory and analysis: Identify every domain and subdomain, as well as the third-party platforms (e.g., ERP, marketing tools, customer service apps) that send on your behalf. Ensure email authentication (SPF and DKIM) are fully and properly configured.
- Leverage reporting for insight: Use aggregate DMARC (RUA) reports to understand who’s sending mail using your domain, and whether those messages are passing authentication. You can’t protect your world if you don’t know what it’s in it.
- Gradually move toward enforcement: Increase DMARC policy (and protection), going from “none” to “quarantine,” and then to “reject,” using domain-level overrides or phased rollout strategies to avoid false positives (meaning, protect the accidental rejection of legitimate email messages) and maintain email flow.
- Coordinate planning and align stakeholders: Involve both technical and non-technical teams (security, marketing, compliance, and IT) to build a cooperative roadmap. All roads lead to email, so it’s important to make sure no stakeholder is left behind.
- Don’t be afraid to ask for help: Consider using a managed service or automation platform to streamline implementation, track progress, and ensure that you’re properly protected, especially if this seems like a daunting challenge.
For modern manufacturers, brand trust is no longer limited to the product—it extends to every interaction, every invoice, and every communication. DMARC enforcement plays a foundational role in protecting that trust. By ensuring that only authorized email sources can use your domain, you reduce the risk of fraud, protect partners, and create a safer digital supply chain.
Cybercriminals will continue to look for weak points, and unprotected domains offer exactly that. The path to resilience doesn’t require massive infrastructure changes; it starts with configuration, visibility, and policy discipline.
Getting To The Finish Line
DMARC is not a checkbox; it’s a journey. Publishing a record is the beginning, not the end. Until enforcement is in place, your domain remains vulnerable to impersonation, and your teams, customers, and suppliers remain exposed.
If your DMARC policy still says “p=none,” now’s the time to move it forward. Because when every order, invoice, and shipment depends on secure communication, email authentication is not just IT hygiene, it’s business-critical.
Al Iverson leads Industry Research and Community Engagement at Valimail. A longtime expert in email authentication, policy, and deliverability, he also writes Spam Resource, a popular blog for email professionals.