The Year of Email Security: Germany’s Focus on DMARC
Recognizing the need for stronger email and domain protection, Germany’s Federal Office for Information Security (BSI) proclaimed 2025 the Year of Email Security.
“When I think about email security, the first thing that comes to mind is just how pervasive email is,” writes Claudia Plattner, BSI President. “It is often the go-to medium for personal exchange or high-stakes corporate transactions. Its very ubiquity makes it a prime target for cybercriminals…they represent a direct threat to both individuals and businesses worldwide.”
With this in mind, BSI is encouraging broader adoption of SPF, DKIM and DMARC through education, cooperation and industry initiatives. They released CS-155 to provide guidance for organisations.
Building upon BSI’s TR-03182 Email Authentication guidance, which focuses on the adoption of email authentication standards like SPF, DKIM and DMARC, CS-155 continues the effort to create safer, more trustworthy email communications by stopping phishing attacks and reducing spam.
Though CS-155 is aimed primarily at companies that rely on email service providers (ESP), the recommendations are prudent for domain owners big and small.
The SPF, DKIM, and DMARC standards have become established worldwide for email server authentication. Implementing these standards strengthens protection against attacks that spoof the identity of trusted sender domains (e.g., spoofing and phishing). These standards are already widely used in practice, but easily correctable errors are often made during implementation.
—CS-155
BSI’s DMARC Troubleshooting Recommendations
In an effort to help organisations effectively deploy and manage DMARC, CS-155 features the following troubleshooting advice in Recommendation 1: Avoid common mistakes with SPF, DKIM and DMARC:
- Typos are a common cause of incorrect DNS records. These can affect both the DNS values (e.g., spaces in IP addresses) and the associated tags (e.g., “include” instead of “include”). Such typos can invalidate individual entries in the record or the entire record.
- DNS records in quotation marks: Each of the three technologies, SPF, DKIM, and DMARC, requires the creation of a corresponding DNS record. Since DNS tools often output these records in quotation marks to clearly mark the start and end of the character string, it is a common misconception that these records must be created in the DNS with quotation marks.
- Multiple entries: SPF, DKIM, and DMARC may only appear as a single entry in a domain’s DNS. It’s not uncommon for additional SPF entries to be added because they appear necessary for collaboration with external service providers.
- Invalid version names: the versioning of the underlying standards is done using a unique value for identification (v=spf1, v=DKIM1, and v=DMARC1). Different specifications in the version tag are not covered by the standards and will be ignored or misinterpreted by receiving servers.
- Orphaned DNS records: Over time, the DNS entries of participating systems, e.g., email servers that have been granted sending permission via SPF, can accumulate. To avoid errors and security risks, entries that are no longer required should be removed immediately.
- Incorrect syntax: Syntax requirements are often unconsciously ignored. One example is the lack of semicolon separation between the different tags in DKIM and DMARC. Mixing entries, such as SPF and DMARC entries, can also cause errors. All entries should be checked to ensure they meet the requirements of the respective standard.
Our SPF syntax guide helps you dial in your SPF records to improve authentication, lower risk and boost deliverability.
Since its initial appearance in 2012, DMARC, with its proven value and effectiveness, has grown into becoming a baseline standard and requirement for email authentication and domain security. Providing an essential defense against phishing and spoofing, which have grown more sophisticated with advancements in AI, DMARC is a symbol of trust for domains and the foundation of deliverability.
DMARC Adoption in Germany
In thinking about 2025 as Germany’s Year of Email Security, we took a look at the country’s top businesses, banks and breweries to see where these businesses stand relative to DMARC adoption.
Within these sectors, we found that 31% of the domains have achieved DMARC enforcement with either p=quarantine or p=reject DMARC policies. While DMARC adoption in Germany is growing, the majority of domains we studied lack DMARC enforcement and remain at the p=none monitoring policy or haven’t published a DMARC record.
Germany has declared this the Year of Email Security, and the opportunity is huge. Only 31% of domains are at DMARC enforcement today, which means the biggest gains are still ahead. In Germany even the top 250 companies hold at just 26% p=reject with the top 100 banks at 19%. Closing the gap is not just a nice-to-have and when trusted companies move to enforcement, attackers lose their favourite openings.
—Dermot Harnett, dmarcian EMEA Business Director
As you might expect, because of advanced digital resource management resources, banks and large enterprises have higher rates of adoption and enforcement than German brewers. While big breweries have DMARC deployed with an enforcement policy, most operate with minimal email security measures to meet baseline requirements or haven’t yet focused on the DMARC control to protect their digital identity.
Unfortunately, breweries in Germany and across the globe are in the sights of criminals. Earlier this year German brewer Oettinger suffered a ransomware attack by the RansomHouse, a ransomware-as-a-service (RaaS) consortium. RaaS operations often target organizations by using phishing and spear-phishing emails and exploiting known vulnerabilities in public-facing applications.
Germany has made significant strides in adopting email security protocols, but we still have a long way to go compared to other countries. If we’re serious about improving our overall cybersecurity resilience, we must catch up. This is why cooperation with industry associations like the eco Association is so important. I’m optimistic that through our joint efforts, we can significantly reduce email-based threats like phishing and spoofing. The ultimate goal is to ensure that email communications originating from Germany are secure, setting a new standard for email security globally.
—Claudia Plattner, BSI President
We’re here to help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian and our partners have helped German domain owners reach DMARC enforcement to keep their customers and brands safe. We’re people helping people secure their domains from phishing and manage their email security for the long haul.
