Proofpoint released new research showing that two in five (41%) of Fortune 100 India companies are lagging behind on basic cybersecurity measures, which may subject customers, staff, and stakeholders to a higher risk of email-based impersonation attacks and fraud.
These findings are based on an analysis of the 2025 Fortune 100 India companies list and their implementation of Domain-based Message Authentication, Reporting and Conformance (DMARC), a widely adopted email validation protocol. DMARC protects domain names from being misused by malicious actors by authenticating the sender’s identity before allowing an email to reach its intended destination. This authentication system helps detect and prevents domain spoofing – an email phishing technique used for business email compromise (BEC) and other email-based attacks. DMARC has three levels of protection – monitor, quarantine, and reject, with reject being the most secure for helping prevent suspicious emails from reaching users’ inboxes.
Email remains one of the most frequent attack vectors, making robust email authentication a critical safeguard for customers, employees, and stakeholders against fraudulent communications. Official data from India’s Ministry of Home Affairs reveals a 24% surge in cybercrime in 2025, with authorities directly attributing the spike to increasingly sophisticated technology being weaponised for phishing and identity theft. Advanced AI tools are accelerating this further, enabling threat actors to automate sophisticated phishing campaigns and generate convincing impersonation lures at an unprecedented scale.
“India’s largest enterprises are among the most trusted names in the country’s digital economy, and that trust is precisely what makes them attractive targets for cybercriminals. While many have taken important steps to protect their email communication, too many still have gaps that attackers can exploit,” said Bikramdeep Singh, India Country Manager at Proofpoint. “In today’s threat landscape, where AI is enabling threat actors to impersonate trusted brands at a scale and speed we’ve never seen before, closing those gaps isn’t optional. Enforcing the strongest level of DMARC protection is one of the key safeguards an organisation can take to protect its customers, its reputation, and its people, and organisations should prioritise.”
The full findings of Proofpoint’s 2026 DMARC analysis of Fortune 100 India companies show:
– 41% currently do not enforce the recommended strictest “Reject” policy level in their DMARC implementation.
– 97% implement some form of email authentication, yet the DMARC policy levels deployed vary as follows:
-
- 59% use DMARC – Reject (the highest level of protection)
- 32% use DMARC – Quarantine
- 6% use DMARC – Monitor