Email authentication is no longer a nice-to-have. It is an essential safeguard for operations, partnerships, and reputations, says Al Iverson.

Email is the unsung workhorse of the manufacturing industry. It powers supply chain communications, vendor relationships, purchase orders, invoices, and internal coordination across global operations. Yet in a sector known for precision, resilience, and innovation, there’s a surprising Achilles’ heel: email security.

As manufacturing continues to digitise and connect, email has emerged not just as a tool, but as a target. Spoofing, phishing, and business email compromise (BEC) attacks are escalating. Cybercriminals are increasingly targeting industries that are perceived to be behind the curve in securing their domains.

The message is clear: it’s time for manufacturers to take email authentication seriously. That starts with DMARC (Domain-based Message Authentication, Reporting, and Conformance).

Phishing Meets the Factory Floor

Email remains the top vector for cyberattacks across all sectors. The risks are especially serious for manufacturing organisations. These companies operate within complex global supply chains where timing is critical, trust is essential, and margins for error are razor-thin. A single spoofed invoice or fraudulent vendor message can delay production, disrupt logistics, or result in costly financial losses.

Today’s phishing campaigns, increasingly powered by AI, convincingly mimic legitimate senders. These emails replicate branding and formatting with alarming accuracy. They are highly targeted, carefully timed, and designed to blend in with the daily flood of business email.

Unfortunately, many manufacturers are underprepared for this level of threat.

DMARC adoption in manufacturing: A mixed picture

At Valimail, we track DMARC adoption and email authentication performance across thousands of leading global organisations, including those in key manufacturing sectors such as energy, industrial materials, consumer goods, and manufacturing-focused IT. In these segments, awareness of the need for strong email authentication is growing. But the data shows a significant gap between getting started and properly defending against email impersonation.

Many large manufacturers are aware of DMARC, which is a strong starting point. Indeed, about ninety-two percent of domains in our audit of the manufacturing sector have published a DMARC record.

This is a great start. But, awareness doesn’t fully translate to protection: We see that the current DMARC enforcement rate across the manufacturing segment is significantly lower, at only 60.6%.

This means: across all of the domains we monitored in manufacturing, just over sixty percent of them both have a DMARC record and that the policy for that DMARC record is quarantine or reject, ensuring that the domain is protected against phishing and spoofing. Which leaves just shy of forty percent of observed manufacturing domains unprotected.

There's a smaller, but still important, gap when it comes to DMARC monitoring and reporting. For just over five percent of manufacturing domains where DMARC is implemented, they are configured without any reporting. (They’ve published a DMARC record with no RUA tag.) Meaning that this group of companies has no way of knowing if their email domain is being spoofed, and no way to tell if all of their email messages sent are properly authenticated in line with modern email sender requirements.

The supply chain is only as secure as its weakest link

The complexity of manufacturing makes these risks even harder to manage. Many organisations operate dozens of domains and subdomains across business units, joint ventures, subsidiaries, and third-party platforms. Communications span multiple continents and are supported by marketing firms, logistics providers, finance software, and IT vendors.

Cybercriminals know this. They exploit these fragmented environments, often impersonating trusted vendors or internal staff to trick recipients into wiring funds or releasing sensitive information. One common tactic involves spoofing a supplier’s domain to send a fake invoice. The result can be significant: delayed shipments, operational disruption, or direct financial loss.

Without implementing DMARC at enforcement (meaning with a policy of “quarantine” or “reject”), these spoofed messages can appear to come from an organisation’s real domain and slip through security filters undetected.

Implementation gaps and organisational challenges

If DMARC is so effective, why haven’t more manufacturers fully embraced it?

The challenge often lies in internal coordination. Manufacturing firms large and small are likely to have decentralised IT operations or legacy infrastructure inherited through mergers and acquisitions. Each division or business unit might manage its own domain, email vendors, or authentication policies.

Defaulting to “p=none” is common: IT read that Yahoo, Google and Microsoft require that DMARC be implemented, a policy of “p=none” is good enough for them to “check the box” and move on, without pausing to consider security implications and lack of protection.

critical security gaps.

What manufacturers can do to protect themselves

Fortunately, improving email authentication is not as daunting as it may seem. Manufacturers across all subsegments can take practical, high-impact steps:

1. Upgrade your DMARC policy: move beyond “p=none.” Publishing a DMARC record is only the beginning. The real protection comes with a policy of “quarantine” or “reject”, which actively blocks unauthorised messages.

2. Implement reporting for visibility. DMARC reports (via RUA tags) allow organisations to understand who is sending on their behalf, whether authorised or not. Without this visibility, it’s impossible to spot abuse.

3. Audit configurations regularly. Domains expire and DNS records change over time. Marketing campaigns launch new platforms. Vendors rotate. Auditing domains and authentication settings is something that needs to happen with a regular cadence.

4. Align internal teams. Ensure your IT, security, compliance, and marketing stakeholders understand the shared responsibility for email authentication. Meet. Communicate. Collaborate.

5. Partner with experts. Managing DMARC at scale doesn’t have to be a manual process. Trusted vendors can automate policy enforcement, help interpret reports, and maintain compliance over time.

DMARC: A foundation of trust

DMARC remains one of the most effective, low-cost defenses against phishing and domain spoofing. It prevents impersonation, safeguards brand reputation, and protects partners and customers alike from fraudulent communications.

In verticals like Manufacturing, Information Technology and Healthcare, where brand trust and digital infrastructure are closely intertwined, a properly enforced DMARC policy reinforces both resilience and credibility.

As regulatory pressure and customer expectations around cybersecurity continue to rise, DMARC is becoming not just a best practice but a baseline.

Conclusion: Now is the time to act

Manufacturers across all subsegments face a growing wave of domain-based threats. Cybercriminals are actively probing for weak points, sending convincing emails that appear authentic, and exploiting the lack of enforcement in domain policies.

Email authentication is no longer a nice-to-have. It is an essential safeguard for operations, partnerships, and reputations. A well-configured DMARC policy stops impersonators, reveals misuse, and gives organisations the insight they need to protect their brands.

Because in manufacturing, every component matters—and that includes your email domain.

Al Iverson is Valimail’s Industry Research and Community Engagement Lead. He is also an email marketing, deliverability, and email authentication expert and the author of the blog Spam Resource.