GMO Brand Security Survey: State of Email Security in Major Brands
A survey by GMO Brand Security revealed a significant gap in email security measures between global and Japanese top brands, with Japan lagging significantly in SPF and DMARC adoption. This leaves Japanese brands highly vulnerable to spoofing attacks.
📋 Article Processing Timeline
- 📰 Published: April 7, 2026 at 19:00
- 🔍 Collected: April 7, 2026 at 10:32
- 🤖 AI Analyzed: April 18, 2026 at 09:19 (262h 46m after Collected)
GMO Internet Group's GMO Brand Security, Inc. (President and Representative Director: Mitsuaki Nakagawa, hereinafter "GMO Brand Security") conducted a survey on the implementation status of "SPF" (Sender Policy Framework) and "DMARC" (Domain-based Message Authentication, Reporting & Conformance), email spoofing countermeasures, targeting a total of 7,600 domains owned by the Global Top 50 Brands and Japan Top 50 Brands selected for Interbrand Best Global Brands 2025 and Best Japan Brands 2025.
As a result of the survey, the percentage of domains with "appropriate" settings, where both SPF and DMARC are effectively configured, was 23.1% for Global Top 50 Brands, while it was only 4.8% for domains owned by Japan Top 50 Brands, revealing a gap of approximately 4.8 times. Domains not in an "appropriate" state are in a vulnerable condition due to unconfigured or flawed SPF/DMARC settings, making them susceptible to spoofing emails that easily impersonate brand names, placing them in a "high risk" state.
(※1) SPF (Sender Policy Framework)
A technology that allows the sender's server IP address to be publicly disclosed and determines if an email was sent from the correct location. While relatively easy to implement, it has a weakness in that authentication can fail if the email is forwarded.
(※2) DMARC (Domain-based Message Authentication, Reporting & Conformance)
A mechanism that instructs the sender on how to handle authentication failures from SPF and DKIM, such as whether to "block the email." It has three levels: none (monitoring only), quarantine (isolation), and reject (blocking), and is crucial for preventing spoofing.
## Summary of Survey Results
**1. Japan's Appropriate Rate is 4.8%. The Gap with Global Brands is Approximately 4.8 Times**
The appropriate rate for Global Top 50 Brands is 23.1% (37.9% for active domains only), while for Japan Top 50 Brands, it remains a mere 4.8% (13.1% even for active domains only). Even for ".jp (Japan)", the country-code top-level domain assigned to Japan, the appropriate rate for Japan Top 50 Brands is 14.0%, compared to 30.0% for Global Top 50 Brands, showing a gap of more than double.
**2. Japanese Companies Account for Approximately 88.8% of Brands with Zero Appropriate Rate Across All Surveyed Domains**
Out of the total 100 companies surveyed, there were 3 global brands and 6 domestic brands with a zero appropriate rate, meaning no SPF/DMARC settings were configured for any of their domains. However, 2 of these 3 global brands are Japanese companies, indicating that even leading Japanese corporations have insufficient security management systems for global expansion. Eight Japanese companies, including leading major Japanese corporations in sectors such as information communication, automotive, electronics, medical devices, and food, suggest a delay in domestic countermeasures.
**3. Dormant Domains are the Biggest Blind Spot. 2,518 Domains in Japan are Completely Unprotected**
The appropriate rate for inactive (dormant) domains without an A record (※3) is only 1.3% in Japan. 2,518 domains are left completely unprotected, posing an extremely high risk of being exploited by attackers as a stepping stone for spoofing.
(※3) A Record (Address Record)
A setting that converts a domain name into a numerical IP address and specifies the destination for communication. It functions like an "address book" on the internet, indicating which server to connect to for displaying websites or sending/receiving emails. It is fundamental to all domain operations and an indispensable element for authentication technologies like SPF to function correctly.
**4. Global Highest Standard Achieved 96.4% Appropriate Rate for Active Domains**
Globally, there are brands that have achieved an appropriate rate of 96.4% for active domains by implementing "zero tolerance management," which thoroughly enforces "SPF: -all" (all rejection) and "DMARC: p=reject" (complete rejection) for their domains. This allows them to almost completely block spoofing emails impersonating their brand and protect their customers and business partners.
**5. European TLDs Dominate the Top Ranks**
In terms of TLDs (active), European ccTLDs occupy the top positions. This is a result of strict EU cybersecurity regulations promoting corporate countermeasures.
## Discussion and Recommendations
This survey has clearly demonstrated the serious delay in spoofing email countermeasures among major Japanese brands. While the appropriate rate for Global Top 50 Brands is 23.1%, for Japan Top 50 Brands, it remains a mere 4.8%, resulting in a significant gap of approximately 4.8 times.
The background to this disparity is likely that while regulations in Europe have legal force encouraging higher levels of countermeasures, Japan lacks similar legal requirements, leaving companies heavily reliant on voluntary efforts.
However, phishing damage that impersonates brand names not only causes direct financial and informational losses to consumers and business partners but also poses a serious management risk that can undermine the trust in brands built over many years. Email security must no longer be viewed solely as an IT department issue, but rather as a "management responsibility" to protect the brand.
GMO Brand Security proposes the following countermeasures to protect brand value and trust:
**1. Early Enforcement of "Rejection Settings" for SPF/DMARC:** We recommend promptly setting "SPF: v=spf1 -all (rejection)" and "DMARC: p=reject (reject) or p=quarantine (isolate)" not only for active domains with A records but also for non-email domains and dormant domains. Dormant domains, in particular, are prone to being overlooked in management and are often used as a springboard for cyberattacks, thus requiring action without exception.
**2. Continuous Monitoring via DMARC Reports:** DMARC implementation is not a one-time task; it is crucial to establish a system for reliably receiving DMARC reports and to continuously monitor and analyze for any unauthorized domain usage by third parties.
**3. Visualization of Trustworthiness through BIMI and VMC Implementation:** In addition to proper DMARC operation, we recommend adopting "Brand Indicators for Message Identification" (BIMI), a standard that displays corporate logos in the recipient's inbox, and acquiring "Verified Mark Certificates" (VMC) to prove logo authenticity. This will not only improve email visibility and open rates but also clearly differentiate from spoofing emails, visually conveying brand trustworthiness.
## Survey Overview
* **Survey Period:** Tuesday, March 10, 2026
* **Survey conducted by:** GMO Brand Security, Inc.
* **Data Source:** Interbrand Best Global Brands 2025 / Best Japan Brands 2025
* **Survey Target:** Total of 7,600 domains owned by Global Top 50 Brands and Japan Top 50 Brands
* **Number of TLDs surveyed:** 76 types (7 legacy gTLDs, 22 new gTLDs, 16 major ccTLDs, 9 Southeast Asian ccTLDs, 11 Middle Eastern ccTLDs, 11 generalized ccTLDs)
* **Survey Method:** Public DNS (Google: 8.8.8.8 / Cloudflare: 1.1.1.1) was used to investigate and aggregate public DNS information.
* **Judgment Criteria:** The criteria for an "appropriate" state were SPF: v=spf1 -all (rejection) and DMARC: p=reject (reject) or p=quarantine (isolate).
## Background of the Survey
In recent years, with the surge in business email compromises impersonating business partners and executives, and phishing scams targeting personal information and credit card details, spoofing emails that exploit corporate/brand domains and trustworthiness are causing severe damage to business partners and consumers. The internationally emphasized countermeasure for this is the combination of domain authentication technologies "SPF" and "DMARC."
SPF is a system that detects illegitimate senders by registering the sender's IP address in advance, but it only gains practical effectiveness in "actually blocking spoofing emails" when combined with DMARC (p=reject/quarantine). While SPF alone can "detect fraud," it cannot "block" it, making its combination with DMARC essential. Notably, even for "non-email domains" or "dormant domains" that do not send or receive emails, if SPF/DMARC are not configured, it is technically possible for third parties to impersonate that domain and send emails.
This survey visualized the configuration status of domains owned by major global and domestic brands, clarifying the current situation and challenges in countermeasures against spoofing emails.
## Detailed Survey Results
**1. Comparison of Key Indicators: Global vs. Domestic**
**2. Countermeasure Status of Japanese Brands**
Among the Japan Top 50 Brands, countermeasures are progressing, particularly among brands in apparel, e-commerce, manufacturing, insurance, and precision machinery. On the other hand, 6 companies (12% of 50 Japanese companies), including well-known large corporations in automotive, electronics, telecommunications, and finance, had a zero appropriate rate across all surveyed domains.
**3. Countermeasure Status of Global Brands**
Among the Global Top 50 Brands, countermeasures are advancing, with a focus on brands operating major digital services such as e-commerce platforms, search engines, and video streaming.
Brands achieving high appropriate rates for active domains include Amazon at 96.4% and Google at 89.7%. While "zero tolerance management," which thoroughly enforces "SPF -all" (all rejection) and "DMARC p=reject" (complete rejection) across all domains, is the global target standard, even well-known global brands still have cases where 60-70% of their domains are unaddressed, indicating that comprehensive countermeasures remain a challenge regardless of industry or region.
**4. European Regulations (GDPR & NIS2 Directive) Drive Global Brand Countermeasure Levels**
In terms of TLD appropriate rates, European ccTLDs such as .fr (56.0%), .es (44.0%), .de (44.0%), and .it (44.0%) rank high. This clearly illustrates how the EU's strict cybersecurity regulations (GDPR & NIS2 Directive) are legally compelling the promotion of email authentication settings.
(※4) GDPR (General Data Protection Regulation)
A strict set of regulations aimed at protecting the personal data of individuals within the EU. It imposes severe restrictions on the processing and transfer of personal data and carries heavy penalties for violations. Japanese companies handling data of EU residents are also subject to it, making it an international standard for privacy protection in global operations.
(※5) NIS2 Directive (Network and Information Security Directive 2)
A new legal framework to raise the overall cybersecurity level across the EU. It significantly expands the scope of previous regulations, imposing advanced risk management and reporting obligations not only on energy and finance but also on critical sectors like manufacturing and distribution. It emphasizes the security of the entire supply chain, requiring related companies to take strong measures.
## About GMO Brand Security, Inc.
(URL: https://brandsecurity.gmo)
Under the slogan "Security for all brands," GMO Brand Security provides monitoring services and rights enforcement support, primarily online, for brand infringement risks. The company also offers support for acquiring and managing trademarks and domain names, which are prerequisites for rights enforcement, guiding brands to a secure and safe state in a one-stop solution.
As of August 2025, approximately 2,000 companies, including leading global companies in Japan, are utilizing the services provided by GMO Brand Security.
End of Report
**Contact for Inquiries Regarding Services:**
● GMO Brand Security, Inc., Sales & Marketing Division, Marketing Department, Fujita
TEL: 03-5784-1069
E-mail: [email protected]
**GMO Brand Security, Inc.** (URL: https://brandsecurity.gmo)
Location: Cerulean Tower, 26-1 Sakuragaokacho, Shibuya-ku, Tokyo
Representative Director: Mitsuaki Nakagawa
Business Description: ■ Consulting support for building corporate brands
■ Domain registration, renewal, and optimization management
■ Domain name rights holder/usage status investigation and risk countermeasures
■ Brand protection such as trademark registration support
■ Trademark rights holder/usage status investigation and risk countermeasures
■ Risk countermeasures including counterfeit product/site monitoring
■ Brand TLD registration and utilization support
Capital: 100 million yen
**GMO Internet Group, Inc.** (URL: https://group.gmo/)
Company Name: GMO Internet Group, Inc. (TSE Prime Market, Securities Code: 9449)
Location: Cerulean Tower, 26-1 Sakuragaokacho, Shibuya-ku, Tokyo
Representative: Group Representative, Masatoshi Kumagai
Business Description: Holding company (Group Management Function)
■ Group Business Activities
Internet Infrastructure Business
Internet Security Business
Internet Advertising & Media Business
Internet Financial Business
Cryptoasset Business
Capital: 5 billion yen
(C) 2026 GMO BRAND SECURITY Inc. All Rights Reserved.
As a result of the survey, the percentage of domains with "appropriate" settings, where both SPF and DMARC are effectively configured, was 23.1% for Global Top 50 Brands, while it was only 4.8% for domains owned by Japan Top 50 Brands, revealing a gap of approximately 4.8 times. Domains not in an "appropriate" state are in a vulnerable condition due to unconfigured or flawed SPF/DMARC settings, making them susceptible to spoofing emails that easily impersonate brand names, placing them in a "high risk" state.
(※1) SPF (Sender Policy Framework)
A technology that allows the sender's server IP address to be publicly disclosed and determines if an email was sent from the correct location. While relatively easy to implement, it has a weakness in that authentication can fail if the email is forwarded.
(※2) DMARC (Domain-based Message Authentication, Reporting & Conformance)
A mechanism that instructs the sender on how to handle authentication failures from SPF and DKIM, such as whether to "block the email." It has three levels: none (monitoring only), quarantine (isolation), and reject (blocking), and is crucial for preventing spoofing.
## Summary of Survey Results
**1. Japan's Appropriate Rate is 4.8%. The Gap with Global Brands is Approximately 4.8 Times**
The appropriate rate for Global Top 50 Brands is 23.1% (37.9% for active domains only), while for Japan Top 50 Brands, it remains a mere 4.8% (13.1% even for active domains only). Even for ".jp (Japan)", the country-code top-level domain assigned to Japan, the appropriate rate for Japan Top 50 Brands is 14.0%, compared to 30.0% for Global Top 50 Brands, showing a gap of more than double.
**2. Japanese Companies Account for Approximately 88.8% of Brands with Zero Appropriate Rate Across All Surveyed Domains**
Out of the total 100 companies surveyed, there were 3 global brands and 6 domestic brands with a zero appropriate rate, meaning no SPF/DMARC settings were configured for any of their domains. However, 2 of these 3 global brands are Japanese companies, indicating that even leading Japanese corporations have insufficient security management systems for global expansion. Eight Japanese companies, including leading major Japanese corporations in sectors such as information communication, automotive, electronics, medical devices, and food, suggest a delay in domestic countermeasures.
**3. Dormant Domains are the Biggest Blind Spot. 2,518 Domains in Japan are Completely Unprotected**
The appropriate rate for inactive (dormant) domains without an A record (※3) is only 1.3% in Japan. 2,518 domains are left completely unprotected, posing an extremely high risk of being exploited by attackers as a stepping stone for spoofing.
(※3) A Record (Address Record)
A setting that converts a domain name into a numerical IP address and specifies the destination for communication. It functions like an "address book" on the internet, indicating which server to connect to for displaying websites or sending/receiving emails. It is fundamental to all domain operations and an indispensable element for authentication technologies like SPF to function correctly.
**4. Global Highest Standard Achieved 96.4% Appropriate Rate for Active Domains**
Globally, there are brands that have achieved an appropriate rate of 96.4% for active domains by implementing "zero tolerance management," which thoroughly enforces "SPF: -all" (all rejection) and "DMARC: p=reject" (complete rejection) for their domains. This allows them to almost completely block spoofing emails impersonating their brand and protect their customers and business partners.
**5. European TLDs Dominate the Top Ranks**
In terms of TLDs (active), European ccTLDs occupy the top positions. This is a result of strict EU cybersecurity regulations promoting corporate countermeasures.
## Discussion and Recommendations
This survey has clearly demonstrated the serious delay in spoofing email countermeasures among major Japanese brands. While the appropriate rate for Global Top 50 Brands is 23.1%, for Japan Top 50 Brands, it remains a mere 4.8%, resulting in a significant gap of approximately 4.8 times.
The background to this disparity is likely that while regulations in Europe have legal force encouraging higher levels of countermeasures, Japan lacks similar legal requirements, leaving companies heavily reliant on voluntary efforts.
However, phishing damage that impersonates brand names not only causes direct financial and informational losses to consumers and business partners but also poses a serious management risk that can undermine the trust in brands built over many years. Email security must no longer be viewed solely as an IT department issue, but rather as a "management responsibility" to protect the brand.
GMO Brand Security proposes the following countermeasures to protect brand value and trust:
**1. Early Enforcement of "Rejection Settings" for SPF/DMARC:** We recommend promptly setting "SPF: v=spf1 -all (rejection)" and "DMARC: p=reject (reject) or p=quarantine (isolate)" not only for active domains with A records but also for non-email domains and dormant domains. Dormant domains, in particular, are prone to being overlooked in management and are often used as a springboard for cyberattacks, thus requiring action without exception.
**2. Continuous Monitoring via DMARC Reports:** DMARC implementation is not a one-time task; it is crucial to establish a system for reliably receiving DMARC reports and to continuously monitor and analyze for any unauthorized domain usage by third parties.
**3. Visualization of Trustworthiness through BIMI and VMC Implementation:** In addition to proper DMARC operation, we recommend adopting "Brand Indicators for Message Identification" (BIMI), a standard that displays corporate logos in the recipient's inbox, and acquiring "Verified Mark Certificates" (VMC) to prove logo authenticity. This will not only improve email visibility and open rates but also clearly differentiate from spoofing emails, visually conveying brand trustworthiness.
## Survey Overview
* **Survey Period:** Tuesday, March 10, 2026
* **Survey conducted by:** GMO Brand Security, Inc.
* **Data Source:** Interbrand Best Global Brands 2025 / Best Japan Brands 2025
* **Survey Target:** Total of 7,600 domains owned by Global Top 50 Brands and Japan Top 50 Brands
* **Number of TLDs surveyed:** 76 types (7 legacy gTLDs, 22 new gTLDs, 16 major ccTLDs, 9 Southeast Asian ccTLDs, 11 Middle Eastern ccTLDs, 11 generalized ccTLDs)
* **Survey Method:** Public DNS (Google: 8.8.8.8 / Cloudflare: 1.1.1.1) was used to investigate and aggregate public DNS information.
* **Judgment Criteria:** The criteria for an "appropriate" state were SPF: v=spf1 -all (rejection) and DMARC: p=reject (reject) or p=quarantine (isolate).
## Background of the Survey
In recent years, with the surge in business email compromises impersonating business partners and executives, and phishing scams targeting personal information and credit card details, spoofing emails that exploit corporate/brand domains and trustworthiness are causing severe damage to business partners and consumers. The internationally emphasized countermeasure for this is the combination of domain authentication technologies "SPF" and "DMARC."
SPF is a system that detects illegitimate senders by registering the sender's IP address in advance, but it only gains practical effectiveness in "actually blocking spoofing emails" when combined with DMARC (p=reject/quarantine). While SPF alone can "detect fraud," it cannot "block" it, making its combination with DMARC essential. Notably, even for "non-email domains" or "dormant domains" that do not send or receive emails, if SPF/DMARC are not configured, it is technically possible for third parties to impersonate that domain and send emails.
This survey visualized the configuration status of domains owned by major global and domestic brands, clarifying the current situation and challenges in countermeasures against spoofing emails.
## Detailed Survey Results
**1. Comparison of Key Indicators: Global vs. Domestic**
**2. Countermeasure Status of Japanese Brands**
Among the Japan Top 50 Brands, countermeasures are progressing, particularly among brands in apparel, e-commerce, manufacturing, insurance, and precision machinery. On the other hand, 6 companies (12% of 50 Japanese companies), including well-known large corporations in automotive, electronics, telecommunications, and finance, had a zero appropriate rate across all surveyed domains.
**3. Countermeasure Status of Global Brands**
Among the Global Top 50 Brands, countermeasures are advancing, with a focus on brands operating major digital services such as e-commerce platforms, search engines, and video streaming.
Brands achieving high appropriate rates for active domains include Amazon at 96.4% and Google at 89.7%. While "zero tolerance management," which thoroughly enforces "SPF -all" (all rejection) and "DMARC p=reject" (complete rejection) across all domains, is the global target standard, even well-known global brands still have cases where 60-70% of their domains are unaddressed, indicating that comprehensive countermeasures remain a challenge regardless of industry or region.
**4. European Regulations (GDPR & NIS2 Directive) Drive Global Brand Countermeasure Levels**
In terms of TLD appropriate rates, European ccTLDs such as .fr (56.0%), .es (44.0%), .de (44.0%), and .it (44.0%) rank high. This clearly illustrates how the EU's strict cybersecurity regulations (GDPR & NIS2 Directive) are legally compelling the promotion of email authentication settings.
(※4) GDPR (General Data Protection Regulation)
A strict set of regulations aimed at protecting the personal data of individuals within the EU. It imposes severe restrictions on the processing and transfer of personal data and carries heavy penalties for violations. Japanese companies handling data of EU residents are also subject to it, making it an international standard for privacy protection in global operations.
(※5) NIS2 Directive (Network and Information Security Directive 2)
A new legal framework to raise the overall cybersecurity level across the EU. It significantly expands the scope of previous regulations, imposing advanced risk management and reporting obligations not only on energy and finance but also on critical sectors like manufacturing and distribution. It emphasizes the security of the entire supply chain, requiring related companies to take strong measures.
## About GMO Brand Security, Inc.
(URL: https://brandsecurity.gmo)
Under the slogan "Security for all brands," GMO Brand Security provides monitoring services and rights enforcement support, primarily online, for brand infringement risks. The company also offers support for acquiring and managing trademarks and domain names, which are prerequisites for rights enforcement, guiding brands to a secure and safe state in a one-stop solution.
As of August 2025, approximately 2,000 companies, including leading global companies in Japan, are utilizing the services provided by GMO Brand Security.
End of Report
**Contact for Inquiries Regarding Services:**
● GMO Brand Security, Inc., Sales & Marketing Division, Marketing Department, Fujita
TEL: 03-5784-1069
E-mail: [email protected]
**GMO Brand Security, Inc.** (URL: https://brandsecurity.gmo)
Location: Cerulean Tower, 26-1 Sakuragaokacho, Shibuya-ku, Tokyo
Representative Director: Mitsuaki Nakagawa
Business Description: ■ Consulting support for building corporate brands
■ Domain registration, renewal, and optimization management
■ Domain name rights holder/usage status investigation and risk countermeasures
■ Brand protection such as trademark registration support
■ Trademark rights holder/usage status investigation and risk countermeasures
■ Risk countermeasures including counterfeit product/site monitoring
■ Brand TLD registration and utilization support
Capital: 100 million yen
**GMO Internet Group, Inc.** (URL: https://group.gmo/)
Company Name: GMO Internet Group, Inc. (TSE Prime Market, Securities Code: 9449)
Location: Cerulean Tower, 26-1 Sakuragaokacho, Shibuya-ku, Tokyo
Representative: Group Representative, Masatoshi Kumagai
Business Description: Holding company (Group Management Function)
■ Group Business Activities
Internet Infrastructure Business
Internet Security Business
Internet Advertising & Media Business
Internet Financial Business
Cryptoasset Business
Capital: 5 billion yen
(C) 2026 GMO BRAND SECURITY Inc. All Rights Reserved.