GMO Brand Security Research: State of Email Security Among Universities in Japan

GMO Brand Security Inc. (President and COO: Mitsuaki Nakagawa; hereinafter “GMO Brand Security”), a member of the GMO Internet Group, has conducted a survey on the implementation status of SPF (*1) and DMARC (*2)—key technologies for preventing email spoofing. The survey analyzed domains owned by 338 universities in Japan (85 national, 93 public, and 160 private universities).

The survey revealed that only 4.1% of the 338 universities achieved an "appropriate" configuration, where both SPF and DMARC are properly enabled. This level is consistent with the 4.8% "appropriateness rate" among Japan’s Top 50 brands reported by GMO Brand Security in April 2026 (*3), highlighting a significant lag in email security measures within Japanese educational institutions.

Domains not classified as "appropriate" are in a vulnerable state due to missing or incorrect SPF/DMARC settings. These domains are considered "high-risk," as they allow malicious actors to easily send spoofed emails using the university’s name.

*(1) SPF (Sender Policy Framework): A technology that pre-publishes the IP addresses of authorized sending servers to determine if an email originated from a legitimate source. While relatively easy to implement, it has a weakness where authentication often fails when emails are forwarded.

*(2) DMARC (Domain-based Message Authentication, Reporting, and Conformance): A mechanism that allows senders to instruct receiving servers on how to handle emails that fail SPF or DKIM authentication. It has three policy levels: "none" (monitoring only), "quarantine" (isolation), and "reject" (rejection), serving as the cornerstone of spoofing prevention.

*(3) GMO Brand Security Research: State of Email Security Among Leading Brands https://brandsecurity.gmo/news/post/post-20260406/

For further details, please refer to the link below (Japanese): https://brandsecurity.gmo/news/post/post-20260518/