A sneak peek into DMARC adoption in Qatar

Email authentication isn’t just about preventing spoofing - it’s about trust, says Vasile Diaconu, Operations Lead at DuoCircle. Every email your organization sends either builds trust or erodes it. SPF, DKIM, and DMARC are the foundation of that trust. Without them, receivers have no way to distinguish your legitimate email from an attacker’s.

DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report

A sneak peek into DMARC adoption in Qatar

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-14920">
						<source src="https://media.mailhop.org/dmarcreport/images/2024/08/A-sneak-peek-into-DMARC-adoption-in-Qatar.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H1M57S">1:57</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-14920" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-14920" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-14920" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-14920" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/a-sneak-peek-into-dmarc-adoption-in-qatar/&t=A sneak peek into DMARC adoption in Qatar" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/a-sneak-peek-into-dmarc-adoption-in-qatar/&url=A sneak peek into DMARC adoption in Qatar" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2024/08/A-sneak-peek-into-DMARC-adoption-in-Qatar.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/a-sneak-peek-into-dmarc-adoption-in-qatar/" class="input-link input-link-14920" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-14920" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

/*! This file is auto-generated */ ’ title=“Embed Code” class=“input-embed input-embed-14920” readonly/>

					<button class="copy-embed copy-embed-14920" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

Looking into the first half of 2024, one of the most evident changes in email security has been major providers such as Gmail and Yahoo enforcing higher standards of authentication. Starting February 2024, these tech giants made **DMARC implementation a norm for organizations across the world that send more than 5,000 emails every day. And as expected, there were some countries that took this directive more seriously than others.

Qatar is one such country where organizations have been very proactive in adopting these new **email-sending policies in an attempt to mitigate the risk of impending cyberthreats. The nation’s stance on strengthening cybersecurity is so proactive that Qatar alone significantly contributes to making the Middle East a leader in DMARC deployments and positions itself at the very top of the list within the region.

While the rest of the world is still catching up with only 73% of organizations implementing DMARC , Qatar is leading the way

The surge of DMARC adoption in Qatar

Qatar tops the DMARC adoption charts among all Gulf Cooperation Council (GCC) countries. ThZis surge is driven by the country’s increasing focus on cybersecurity. Qatar understands that email is one of the most common vectors for phishing attacks and realizes that protecting its **digital infrastructure is very critical for any nation whose economy is in the growth phase and is committed to remodelling lives through digital transformation. Such a proactive approach not only reinforces Qatar’s position as a leader in the Middle East but also sets a benchmark for the rest of the world.

As of 2025, DMARC is mandatory under multiple compliance frameworks. CISA BOD 18-01 requires p=reject for US federal domains. PCI DSS v4.0 mandates DMARC for organizations processing payment card data as of March 2025. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and Microsoft began rejecting non-compliant email in May 2025. The UK NCSC, Australia’s ASD, and Canada’s CCCS all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.

Apart from this, you should know that the DMARC adoption in Qatar has been accelerated even further due to **recent mandates by Google and Yahoo, which require organizations to deploy more concrete measures in email authentication. These latest email-sending requirements have pushed organizations to adhere to these standards so that their email ecosystem is secure and domains are safe from phishing and spoofing.

Another testament to the Middle East’s commitment to email security is the Saudi Arabian Monetary Authority (SAMA) cybersecurity framework. This framework has had a great focus on DMARC adoption as it’s instrumental in ensuring that security measures are rolled out swiftly and stringently across the region. This effort by SAMA has made a positive impact not just within Saudi Arabia but throughout the entire GCC region. These higher standards set by SAMA have driven organizations to enhance their security measures against email threats while at the same time ensuring compliance with global standards.

A breakdown of DMARC implementation across sectors

Although the cumulative DMARC implementation rate is the highest in Qatar, if you zoom in a little and examine specific industries, you will notice some variations. For instance, out of the 458 domains consisting of most businesses and organizations in Qatar, only 35.15% had DMARC records implemented correctly, while 63.75% had no DMARC record at all. Also, the media and entertainment, telecom, and transport sectors are at the lower end. Meanwhile, the **banking and government sectors have the highest rate of DMARC adoption, clearly showing that some sectors have a stronger commitment to email security than others.

In the education industry, 20% of domains had a DMARC policy set to ‘p=none,’ while 61.3% had no DMARC record at all. Even organizations in the healthcare sector are far behind, with 7% of domains having their DMARC policy set to ‘p=none,’ and the other 67.4% also lacking proper DMARC implementation.

Addressing the gaps

Despite the unprecedented progress in DMARC adoption across various sectors, organizations in Qatar are falling short of effectively bridging the gaps in their implementation. Most of them either haven’t adopted DMARC at all or have implemented it partially. This simply means their **sender domains remain open to phishing and spoofing attacks.

For organizations that have deployed DMARC, for the sake of it, the protection is compromised. The ‘p=none’ policy is a passive defense strategy that does nothing more than monitoring email traffic. Thus, it offers very little protection from email-based threats. For the 20.3% of the domains that have their DMARC configured at ‘p=none,’ it is important to move towards stricter policies. To get the most out of DMARC, you need to set your policies at ‘p=quarantine’ or ‘p=reject.’ These are stricter, more binding policies, making email much more secure along the entire email transfer path.

No matter where your business is operating from, one thing is clear, you need DMARC to safeguard your entire email ecosystem from malicious cyberthreats that are practically everywhere. Apart from the deadline (which was February 2024), the grave attacks that have been targeting email systems worldwide, **make a stronger case for prioritizing email authentication.

As they say, it’s never too late to start something new; this is your sign to jump on the DMARC bandwagon. Contact us to learn more about it!

Sources

• CISA Binding Operational Directive 18-01
• Microsoft Outlook DMARC Enforcement May 2025 (2025)
• PCI DSS v4.0 - DMARC Requirement (2025)
• RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)