How widely is DMARC adopted in Switzerland?

Swiss organisations face a fast-changing email threat environment and mixed DMARC adoption. This brief explains the state of adoption across banks and major companies, links authentication to national reporting rules, and includes official Swiss statistics about phishing and reporting.

Questions & Answers

How common is DMARC among Swiss banks?

Adoption is uneven: 20% of the top 100 Swiss banks have DMARC set to p=reject, 19% use p=quarantine, 29% remain in p=none monitoring mode, 15% have faulty or incomplete records, and 17% have no DMARC record. Overall, 61% of the top banks lack effective enforcement or have problematic configurations. That leaves many bank domains exposed to impersonation and phishing risks.

What about major Swiss companies?

Among the top 100 Swiss organisations by revenue, 44% have DMARC at p=reject, 10% use p=quarantine, 17% are at p=none, 17% have record issues, and 12% lack a DMARC record. While corporate adoption is better than the banking segment, nearly half still do not enforce DMARC and remain vulnerable to email-based attacks.

How severe is phishing in Switzerland?

Phishing reports are high. According to Swiss authorities, users and organisations reported 497,096 suspicious website reports through antiphishing.ch in the second half of 2024; authorities identified 9,355 unique phishing sites and took action. These numbers reflect a persistent and growing phishing problem that authentication can help mitigate.

Are cyberattack reporting rules changing in Switzerland?

Yes. From 1 April 2025, reporting of cyberattacks against critical infrastructure became mandatory under Swiss rules. Organisations operating in covered sectors must notify authorities of incidents, which increases the importance of quick detection and evidence collection—something better email visibility (via DMARC reporting) supports.

Why does DMARC matter for compliance with these rules?

DMARC provides RUA/RUF reporting that reveals who is sending mail on a domain's behalf and which messages fail authentication—valuable evidence when reporting incidents. In environments with mandatory incident notifications, having DMARC visibility speeds detection and supports timely reporting. Strong DMARC policies also reduce the volume of successful phishing that can trigger reportable incidents.

What common configuration errors did you find?

We saw frequent SPF lookup-limit issues, malformed SPF records, and missing RUA addresses. These mistakes remove visibility into authentication outcomes or cause SPF to fail unexpectedly. Fixing syntax and SPF complexity, and adding a working RUA is a straightforward first step to gaining control of your email ecosystem.

How should organisations start improving their DMARC posture?

Begin with a full inventory of sending domains and all authorised senders, publish a correct SPF including authorized IPs, enable DKIM signing, and publish DMARC with p=none to collect reports. Use the reports to fix failures, then progress to p=quarantine and p=reject on a measured schedule. Test third‑party vendors and maintain continuous monitoring.

Does Switzerland mandate DMARC for any sector?

Not yet—Switzerland hasn’t required DMARC by law for a specific sector, but new reporting obligations and FINMA guidance increase the pressure to adopt it. Major mailbox providers’ requirements (Google, Microsoft, Apple, Yahoo) effectively force senders to implement authentication to protect deliverability and customers.

How much can DMARC reduce fraudulent mail?

In practice, well-deployed DMARC can reduce illegitimate email traffic dramatically. For example, one large customer reported dropping illegitimate email from over 75% to under 5% after DMARC deployment and ongoing monitoring. Proper DKIM/SFP alignment and DMARC enforcement make spoofing far harder.

Where can teams get help and tools?

Palisade provides tools for scanning SPF, DKIM and DMARC, visualising RUA data, and managing enforcement safely. Use Palisade’s email security score to prioritise fixes and track progress: https://www.palisade.email/tools/email-security-score. Palisade offers consulting and managed services to accelerate deployment and keep you compliant.

Quick Takeaways

• DMARC adoption among Swiss banks lags: 61% lack effective enforcement.
• Among major Swiss companies, 44% have p=reject—adoption is better but not uniform.
• NCSC reported 497,096 suspicious website reports in H2 2024 and identified 9,355 unique phishing sites.
• From 1 April 2025, reporting cyberattacks on critical infrastructure is mandatory in Switzerland.
• Publish SPF/DKIM and start DMARC at p=none, then progress to enforcement while monitoring RUA/RUF.

More FAQs

1. How quickly should Swiss organisations act?

Act immediately—high phishing volume and mandatory reporting increase both risk and regulatory exposure. Inventory senders, deploy DMARC reporting, and remediate failures as a priority.

2. Are smaller organisations exempt from reporting?

Reporting obligations apply to critical infrastructure operators and specified sectors; smaller organisations outside those categories may not be required but still benefit from DMARC for protection and incident visibility.

3. What if my vendors don’t support DKIM?

Work with vendors to add DKIM or ensure their IPs are covered in your SPF; if that’s not possible, route sensitive mail through authorised services or stop using that vendor for critical communications.

4. Will DMARC fix all phishing?

No—DMARC reduces domain spoofing but does not stop all phishing (attacks can use lookalike domains or compromised accounts). DMARC should be one layer in a defence-in-depth strategy that includes user awareness, web blocking and threat intelligence.

5. Who can help implement DMARC in Switzerland?

Palisade offers deployment support, monitoring and managed services for DMARC, SPF and DKIM. Visit https://palisade.email/ to learn more and request assistance.