DMARC Adoption: FIFA World Cup 2026 

In this edition of our DMARC adoption research, we are considering the FIFA World Cup ecosystem and how national teams, league clubs, sponsors, and host supporters are faring with domain security as they hit the global sports spotlight in June.

Hosted jointly by three countries and expanded to 48 teams across 16 cities for the first time, the 2026 FIFA World Cup digital environment is awash with yellow and red cards when it comes to secure internet domains and email authentication.

From vulnerable internet domains to those with DMARC enforcement policies of p=quarantine or p=reject, the World Cup-related domains we surveyed vary greatly in phishing and spoofing security. An average of 45% are exposed to phishing, spoofing, and email fraud. With over five million people attending the matches in person and billions of others watching from afar, the stakes are high.

As the U.S. prepares to welcome millions of visitors for FIFA World Cup 2026, CISA is working with host cities and partners nationwide to help communities celebrate safely. Our teams provide physical and cybersecurity assessments, multi-agency exercises, threat monitoring, and resilience planning. CISA works with stadiums, transportation systems, communications networks, and essential services to strengthen security and build resilience. CISA completed assessments across World Cup venues and supporting infrastructure and organized six readiness exercises involving nearly 200 federal partners and 2,000 participants.

—Cybersecurity and Infrastructure Security Agency (CISA)

DMARC Adoption: Football Leagues

As a sample of international leagues, we researched La Liga and the English Premier League (EPL), two of the world’s most popular professional sports divisions. 

We researched this contingent to see if the respective and varying privacy regulations in Spain and England affect the levels of email security and domain protection.

For example, 30% of La Liga clubs lack a DMARC record, while all of the EPL clubs have a DMARC record despite 25% of them having a p=none monitoring policy. The monitoring policy of none creates email traffic and source visibility but does nothing to stop an abusive email from reaching someone’s inbox.

We learned that 45% of La Liga clubs are protected with p=reject or p=quarantine DMARC policies while EPL teams have a DMARC enforcement level of 65%. A quarantine policy sends email that fails SPF and DKIM authentication to the spam folder, while a reject policy is like a red card and stops the email from entering the game of deception.

The UK’s Information Commissioner’s Office (ICO) takes a strict enforcement approach under UK GDPR, issuing hefty fines (up to 4% of global revenue), enforcement notices, and audits for breaches like poor email security.

Agencia Española de Protección de Datos (AEPD), Spain’s independent national supervisory authority responsible for enforcing data privacy laws, issues fewer penalties and focuses more on user education, consent tools, and subject matter expert support rather than aggressive audits. AEPD’s approach might explain the higher level of monitoring and quarantine DMARC policies among the Spanish clubs.

---

---

DMARC Adoption: World Cup Teams

In this segment of adoption research, we turn to league clubs and national teams, as a whole, to see where they stand in relation to DMARC records and levels of enforcement. 

National Teams: 29% at DMARC enforcement

The World Cup national teams struggle a bit more with the health of their domains: 37% have no DMARC record, and 34% have a p=none policy or record errors. The balance, 29%, have published enforcement policies to keep their stakeholders safe.    

Iraq and Ivory Coast: the outliers

Two World Cup 2026 participants—Iraq and Ivory Coast—appear in the tournament’s email ecosystem only through FIFA’s own domain infrastructure, with no independently DMARC-protected presence of their own. Iraq’s Football Association operates on ifa.iq, a ccTLD (country code Top-Level Domain) that was effectively dormant for years following the collapse of Iraq’s national communications infrastructure after 2003 and was only revived for general use well into the following decade. Ivory Coast’s federation uses fifciv.com, a generically registered .com domain typical of West African football associations that were stood up without enterprise-grade email authentication in mind—and in neither case has a DMARC record followed.

DMARC Adoption: Host Supporters and World Cup Sponsors

In this comparative analysis, we investigated the FIFA World Cup sponsors and the local host city supporters to see how these unique groups with varying resources are prepared to keep phishing and other forms of email fraud at bay during the global sports spectacle.

Host Supporters: 55% at DMARC enforcement 

With host supporters, the organizations that partner with specific host cities to help fund and promote the tournament, we saw that almost half of the parent domains were open to phishing and spoofing. Over half, 52%, have the optimal DMARC policy of p=reject and 3% were almost there with a p=quarantine policy.     

World Cup Sponsors: 71% at DMARC Enforcement

Domain security looks more optimistic with the FIFA World Cup sponsors, with 29% of the domains exposed to potential phishing and spoofing attacks because of DMARC record errors, the lack of a record, or a p=none policy. Then 71% were at reject or quarantine enforcement—the most protected cohort in our World Cup adoption audit. 

SPF issues

Our research revealed that SPF mistakes were common in the World Cup ecosystem, whether it’s excessive lookups; the lack of an SPF record; multiple SPF records; or invalid records, usually the result of a syntax error.

---

---

Lack of RUA reporting address

With DMARC records, we found the recurring problem of a missing RUA reporting email address. RUA is a pivotal DMARC element and determines where DMARC reports are sent. Without an RUA address, there’s no visibility into the email being sent using your domain, whether legitimate or otherwise. This visibility is vital because it can help you isolate and correct unauthorized domain use.

Large-scale events like the Olympics or the World Cup combine global attention, massive digital infrastructure, and intense time pressure, which makes them prime targets for bad actors. When you see fake ticket sites or cyber sabotage, it tells you two things: First, attackers go where attention and money are concentrated; second, these events dramatically expand the attack surface. You’re not just protecting stadiums; you’re protecting an ecosystem. You’re protecting ticketing platforms, broadcast systems, transportation networks, sponsors, vendors, mobile apps and millions of spectators’ devices.

—Justin Miller, University of Tulsa Associate Professor of Practice of Cyber Studies in Government Technology

Play defense with DMARC

Businesses are using DMARC and its underlying technologies of SPF and DKIM as domain-based controls to address the following:

• Email Fraud – DMARC’s original use-case. DMARC provides visibility of how a domain is used and prevents unauthorized senders from sending email on behalf of an organization.
  
• Third-party security: With DMARC, you can quickly assess and monitor the security posture of vendors.
  
• Compliance – Industries, governments, and regulations are increasingly requiring DMARC to be in place.

How dmarcian can help

With a team of email security experts and a mission of making email and the internet more trustworthy, dmarcian can help you assess your domain catalog, deploy DMARC and manage domain security for the long haul. With our expertise and mission of DMARC for All, we can help you

• Progress safely from monitoring to enforcement with our expert guidance.
• Understand how SPF, DKIM and DMARC work, and why they are essential.
• Configure these protocols to ensure seamless email delivery.
• Monitor authentication reports to identify and resolve any issues promptly.

---

Want to continue the conversation? Head over to the dmarcian Forum.