In 2025, Proofpoint assessed the email fraud preparedness of leading banks across the UAE, Saudi Arabia, Oman, Qatar, Bahrain, and Kuwait. Despite notable progress in email security protocols during 2024, the study revealed a concerning decline in the adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC). DMARC implementation among GCC banks dropped from 96% in the previous year to just 77% in 2025—potentially exposing customers to increased risks of phishing and other forms of email-based fraud.
DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender’s identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine, and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.
Proofpoint’s study shows that almost a quarter (23%) of the top financial institutions in the GCC are taking no steps to protect against misuse of their domain in email fraud, which means that transactional emails, including password resets, appointment reminders, and more, are at risk. Furthermore, only 60% are implementing the strictest level of DMARC protection (reject) in 2025 compared to 71% in 2024, meaning 40% are not proactively protecting customers against email impersonation and fraud.
Emile Abou Saleh, Vice President, Northern Europe, Middle East, Turkey and Africa at Proofpoint said: “We are witnessing a worrying trend this year as the number of financial institutions in the GCC with a published a DMARC record has decreased, potentially exposing vast amounts of sensitive personal and financial data to cybercriminals. This lack of protection against email fraud is disconcerting given that there has been consistent improvement in DMARC performance among GCC banks over the past two years. However, it is never too late for banks to re-visit security protocols and protect their email traffic against phishing and other fraudulent activity.”
In 2024, Proofpoint’s research showed that 96% of GCC banks had published a DMARC record, while 71% had implemented the strictest and recommended level of DMARC protection (‘reject’). This was higher than in 2023, where 94% of GCC banks had published a DMARC record.
Banks that implement DMARC are better equipped to protect their customers, employees, and brand from email fraud. By safeguarding email traffic, they can ensure that legitimate email is properly authenticated and that fraudulent activity appearing to come from domains under the bank’s control is blocked before it reaches customers.