GMO Brand Security Survey Finds Over 95% of Japanese Universities Have Inadequate Email Security, Leaving Them at 'High Risk' for Spoofing
GMO Brand Security conducted an email security survey of 338 universities in Japan. The results revealed that only 4.1% have properly configured both SPF and DMARC, technologies essential for effectively preventing email spoofing. This figure is comparable to the low adoption rate among Japan's top brands, highlighting a significant delay in security measures within the educational sector. With 8% of universities found to be completely unprotected, the company urges immediate action, framing it as a management issue that risks damaging university brand and trust.
📋 Article Processing Timeline
- 📰 Published: May 18, 2026 at 22:30
- 🔍 Collected: May 18, 2026 at 14:01
- 🤖 AI Analyzed: May 20, 2026 at 05:23 (39h 22m after Collected)
GMO Brand Security Inc. (President and CEO: Mitsuaki Nakagawa), a member of the GMO Internet Group, has conducted a survey on the implementation of anti-email spoofing technologies SPF and DMARC across domains owned by 338 universities in Japan (85 national, 93 public, and 160 private).
The survey revealed that the percentage of universities with a 'proper' configuration, meaning both SPF and DMARC were effectively set up, was a mere 4.1% of the 338 institutions surveyed. This rate is on par with the 4.8% proper adoption rate among Japan's Top 50 brands, as reported by GMO Brand Security in April 2026, highlighting a significant lag in email security measures within Japan's educational institutions. Domains without a 'proper' setup are in a vulnerable state due to missing or incomplete SPF/DMARC settings, making them 'high-risk' and easily exploitable for sending spoofed emails under the university's name.
【Summary of Survey Results】
1. Proper adoption rate across 338 universities is 4.1%, a low level for national, public, and private institutions alike.
Only 14 universities have properly configured both SPF and DMARC, an extremely low figure regardless of university type.
2. Most DMARC implementations are 'monitoring only,' failing to block threats.
The rate for 'reject' (which blocks emails) is just 1.5%, and 'quarantine' is 2.7%. The majority use 'none (monitoring only),' which has no blocking effect. This exposes the fact that even universities that have adopted DMARC have not transitioned to effective settings.
3. 27 universities are completely defenseless, with neither SPF nor DMARC configured.
27 universities (8.0%) have no configuration for either SPF or DMARC, placing them at extremely high risk of their domains being exploited for phishing scams targeting students, parents, and business partners.
4. List of universities with confirmed effective settings (as of April 2026):
[National] Hokkaido University, Yamagata University, The University of Tokyo, Hitotsubashi University, Yokohama National University
[Public] Akita International University, Yokohama City University, Osaka Metropolitan University, University of Nagasaki
[Private] Gakushuin University, Shibaura Institute of Technology, Nihon University, Tamagawa University, Doshisha Women's College of Liberal Arts
【Analysis and Recommendations】
The survey clearly quantifies the serious delay in anti-spoofing measures at Japanese universities. While the SPF adoption rate is relatively high at 91.4%, the adoption rate for DMARC with effective blocking policies (reject/quarantine) is only 4.1%, showing a wide gap between formal adoption and actual effectiveness.
University domains are trusted and used daily by students, parents, prospective students, and research institutions. Malicious use of these domains for spoofing can lead not only to data breaches and financial loss but can also fundamentally undermine the university's brand and credibility. This is no longer just an issue for the IT department but a management issue that demands action as part of the university's social responsibility.
GMO Brand Security proposes the following measures:
1. Promptly strengthen DMARC policies: The 178 universities using 'none' are advised to move to 'quarantine' or 'reject' policies swiftly.
2. Immediate action for defenseless domains: The 27 universities with no settings are strongly urged to immediately implement at least 'SPF: v=spf1 -all' and 'DMARC: p=quarantine'.
3. Continuous monitoring with DMARC reports: It is crucial to establish a system for ongoing monitoring and analysis of fraudulent use by leveraging DMARC reports.
4. Visualize trust with BIMI adoption: With a proper DMARC setup, obtaining a Verified Mark Certificate (VMC) for BIMI can visually assure recipients of an email's legitimacy.
【Background of the Survey】
In recent years, phishing emails spoofing universities and targeted attacks on students and faculty have surged. While SPF detects unauthorized sources, it only becomes effective at 'blocking' spoofed emails when combined with DMARC. This survey aimed to visualize the current state of these measures at Japanese universities and clarify existing challenges.
The survey revealed that the percentage of universities with a 'proper' configuration, meaning both SPF and DMARC were effectively set up, was a mere 4.1% of the 338 institutions surveyed. This rate is on par with the 4.8% proper adoption rate among Japan's Top 50 brands, as reported by GMO Brand Security in April 2026, highlighting a significant lag in email security measures within Japan's educational institutions. Domains without a 'proper' setup are in a vulnerable state due to missing or incomplete SPF/DMARC settings, making them 'high-risk' and easily exploitable for sending spoofed emails under the university's name.
【Summary of Survey Results】
1. Proper adoption rate across 338 universities is 4.1%, a low level for national, public, and private institutions alike.
Only 14 universities have properly configured both SPF and DMARC, an extremely low figure regardless of university type.
2. Most DMARC implementations are 'monitoring only,' failing to block threats.
The rate for 'reject' (which blocks emails) is just 1.5%, and 'quarantine' is 2.7%. The majority use 'none (monitoring only),' which has no blocking effect. This exposes the fact that even universities that have adopted DMARC have not transitioned to effective settings.
3. 27 universities are completely defenseless, with neither SPF nor DMARC configured.
27 universities (8.0%) have no configuration for either SPF or DMARC, placing them at extremely high risk of their domains being exploited for phishing scams targeting students, parents, and business partners.
4. List of universities with confirmed effective settings (as of April 2026):
[National] Hokkaido University, Yamagata University, The University of Tokyo, Hitotsubashi University, Yokohama National University
[Public] Akita International University, Yokohama City University, Osaka Metropolitan University, University of Nagasaki
[Private] Gakushuin University, Shibaura Institute of Technology, Nihon University, Tamagawa University, Doshisha Women's College of Liberal Arts
【Analysis and Recommendations】
The survey clearly quantifies the serious delay in anti-spoofing measures at Japanese universities. While the SPF adoption rate is relatively high at 91.4%, the adoption rate for DMARC with effective blocking policies (reject/quarantine) is only 4.1%, showing a wide gap between formal adoption and actual effectiveness.
University domains are trusted and used daily by students, parents, prospective students, and research institutions. Malicious use of these domains for spoofing can lead not only to data breaches and financial loss but can also fundamentally undermine the university's brand and credibility. This is no longer just an issue for the IT department but a management issue that demands action as part of the university's social responsibility.
GMO Brand Security proposes the following measures:
1. Promptly strengthen DMARC policies: The 178 universities using 'none' are advised to move to 'quarantine' or 'reject' policies swiftly.
2. Immediate action for defenseless domains: The 27 universities with no settings are strongly urged to immediately implement at least 'SPF: v=spf1 -all' and 'DMARC: p=quarantine'.
3. Continuous monitoring with DMARC reports: It is crucial to establish a system for ongoing monitoring and analysis of fraudulent use by leveraging DMARC reports.
4. Visualize trust with BIMI adoption: With a proper DMARC setup, obtaining a Verified Mark Certificate (VMC) for BIMI can visually assure recipients of an email's legitimacy.
【Background of the Survey】
In recent years, phishing emails spoofing universities and targeted attacks on students and faculty have surged. While SPF detects unauthorized sources, it only becomes effective at 'blocking' spoofed emails when combined with DMARC. This survey aimed to visualize the current state of these measures at Japanese universities and clarify existing challenges.