• X
  • Facebook
  • LinkedIn

News

GMO Brand Security Research: State of Email Security Among Universities and Junior Colleges in Japan

—Survey of 1,103 institutions nationwide reveals only 5.3% have effective "SPF/DMARC" configuration to block spoofed emails; just 4 institutions (0.4%) have adopted BIMI—

  • News
  • Share
    • X
    • Facebook
    • LinkedIn

GMO Brand Security Inc. (President and COO: Mitsuaki Nakagawa; hereinafter "GMO Brand Security"), a member of the GMO Internet Group, has conducted a survey on the implementation status of SPF (*1), DMARC (*2), and BIMI (*3)—key technologies for preventing email spoofing. The survey analyzed domains owned by 1,103 institutions across Japan, including national, public, and private universities as well as junior colleges.

The survey revealed that only 5.3% (58 institutions) of the 1,103 institutions surveyed are operating with an effective DMARC configuration (p=quarantine or p=reject) alongside SPF. Consistent with GMO Brand Security's previous survey of 338 major domestic universities published in April 2026 (*4), these findings once again highlight a significant lag in email security measures across Japanese educational institutions. Furthermore, only 0.4% (4 institutions) have adopted BIMI—a technology that displays a brand logo to visually verify the legitimacy of an email—indicating that challenges remain in brand protection and trust-building for universities.

GMOブランドセキュリティによる全国1103大学・短大のメールセキュリティ調査 SPF/DMARC/BIMI導入率を調査

*(1) SPF (Sender Policy Framework): A technology that pre-publishes the IP addresses of authorized sending servers to verify whether an email originated from a legitimate source. While relatively easy to implement, it has a weakness in that authentication often fails when emails are forwarded.

*(2) DMARC (Domain-based Message Authentication, Reporting, and Conformance): A mechanism that allows senders to instruct receiving servers on how to handle emails that fail SPF or DKIM authentication. It operates at three policy levels—"none" (monitoring only), "quarantine" (isolation), and "reject" (rejection)—and serves as the cornerstone of email spoofing prevention.

*(3) BIMI (Brand Indicators for Message Identification): A technology that works in conjunction with DMARC to display a sender's organizational logo in the recipient's email client, providing a visual indicator of email legitimacy.

*(4) GMO Brand Security Research: State of Email Security Among Universities in Japan: https://staging-dot-astro-www.brandsecurity.gmo/en/news/post/post-20260518/

For further details, please refer to the link below (Japanese): https://brandsecurity.gmo/news/post/post-20260629/

Go to news list

GMO Spoofing ZERO