Why DMARC Belongs in Your 2027 Budget
Earlier this year we wrote about why phishing attacks continue to succeed despite modern security controls. As we move into the second half of the year, organisations across EMEA are looking ahead to 2027.
Strategic priorities are being discussed and budgets are being reviewed. Business leaders, CISOs, and IT teams are deciding which initiatives will reduce risk, strengthen resilience, and help future-proof their organisations over the coming years.
Recent discussions with CISOs and security leaders suggest that the cybersecurity conversation is evolving. These observations are reinforced by the findings of a recent survey conducted among CISOs and shared at a Cyber Ireland event.
The Shifting Cybersecurity Landscape in EMEA
The survey found that compliance and governance concerns increased from 38% in 2025 to 45% in 2026. At the same time, phishing-related credential compromise remains one of the most significant risks facing organisations, increasing from approximately 20% to 25% over the same period.
Meanwhile 59% of organisations expect cybersecurity budgets to increase in 2026, although this is down from 68% the previous year showing that while security spending continues to grow, scrutiny of security spend is on the rise, too. The message from both the event and survey findings is clear: boards and executive teams are increasingly focused on resilience, governance, and measurable risk reduction rather than technology for technology’s sake.
Why DMARC shouldn’t remain stuck on the to-do list
Against that backdrop, DMARC deserves a place at the top of the list. For years, many organisations have recognised the importance of email authentication. DMARC has appeared on risk registers, surfaced during audits, and discussed after phishing incidents. Yet despite widespread awareness, it often remains stuck in the category of “something we should get around to.”
2027 will likely be the year that changes.
The reality is that DMARC is about much more than stopping phishing attacks. Email remains the most important way that organisations communicate with customers, suppliers, partners, and employees and an indispensable business issue. Simultaneously, mailbox providers continue to raise the bar for trust and authentication with sender requirements.
DMARC is no longer just a security issue
Organisations can no longer assume that legitimate emails will reach the inbox simply because they were sent from a recognised domain. That means email authentication is no longer just a security issue; it is a business issue, and poorly authenticated email can affect deliverability, impact customer engagement, reduce trust in communications, and create unnecessary friction across the organisation. All the while, unauthorised use of your domain can damage brand reputation and expose customers, partners, and employees to fraud.
Navigating NIS2, DORA, and new regulations
Across EMEA, these challenges are becoming increasingly relevant. Organisations are navigating evolving regulatory requirements, growing supply chain risks, and increasing expectations around digital trust. Developments such as NIS2 and DORA are encouraging organisations to take a more structured approach to cybersecurity governance, resilience, and risk management.
Boards and risk committees are asking tougher questions about resilience, governance, and risk reduction. They are looking for measurable ways to reduce risk while supporting business objectives. In light of this, email trust and DMARC deserve a place on the risk register.
Organisations that have formally recognised email security as a business risk have been able to build support for successful DMARC programs. For example Dublin City University’s journey highlights how email security and risk mandates helped to secure organisational buy-in and helped drive DMARC implementation.
7 Questions to Ask Your Security Team Before 2027
- Can unauthorised parties send email using our domain?
- Do we know all of the services sending email on our behalf?
- Could weaknesses in our email authentication affect deliverability?
- Could our customers, suppliers, or employees be exposed to impersonation attacks using our brand?
- Are we actively reducing this risk, or simply acknowledging that it exists?
- Is email trust still sitting on our risk register, or have we done something about it?
- What do we need to do to be ready for successful DMARC implementation in 2027?
DMARC helps protect domains from unauthorised use and provides visibility into who is sending email on behalf of the organisation. It can also reduce the likelihood of finding your organisation’s name associated with phishing campaigns, fraud attempts, or breach reports.
Importantly, DMARC is one of the few initiatives that can improve both security and business outcomes at the same time. When reviewing priorities for 2027, organisations should ask themselves a simple question: Is email trust still sitting on our risk register, or have we actually done something about it? If domain protection, deliverability, and brand reputation have been lingering as unresolved risks for several years, now is the right time to address it.
Successful DMARC Adoption Is Not Simply About Technology
One of the biggest lessons from organisations that have successfully implemented DMARC is that people matter. The challenge typically isn’t around publishing a DNS record; the challenge is understanding your email ecosystem, identifying legitimate senders, managing third-party services, engaging stakeholders, and navigating the journey to enforcement without disrupting business communications.
Technology is important, but experience matters
That is why another important question to ask today is:
What do we need to do now to be ready for successful DMARC implementation in 2027?
We explored many of these themes in our webinar with Dublin City University and for many organisations, that means building an inventory of email services. For others, it means gaining visibility into who is sending email on their behalf. For many, it means finding experienced partners who can guide them through the process and help avoid common pitfalls.
As AI continues to make impersonation attacks more convincing and as trust becomes an increasingly valuable business asset, organisations will need more than tools alone. They will need people who understand the challenges, have helped others navigate them, and can turn a complex project into a successful outcome.
Ultimately, 2027 could be the year your organisation closes risk register gaps, improves email deliverability, strengthens brand reputation, reduces impersonation exposure, and gains confidence in one of its most important communication channels, email. 2027 should be the year when you move email trust from an accepted risk to a managed one.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.