Proofpoint Analysis: Only 8% of SGX 200 Companies Actively Block Fraudulent Emails; More Than Half Lack Any Email Authentication Protocol

Financial Loss

Out of the SGX 200 companies surveyed, 52% are vulnerable to email fraud and domain spoofing

SINGAPORE – 26 April 2023 –  Proofpoint, Inc., a leading cybersecurity and compliance company, today announced that only 8% of SGX 200 companies have adopted the highest recommended level of Domain-based Message Authentication, Reporting, and Conformance (DMARC) protection to effectively block suspicious emails. While this is an overall improvement over what was reported during the same period in 2022 (5% of SGX 200 companies), the lack of DMARC protection among Singapore’s top companies is a cause for concern.

According to Proofpoint’s analysis, over half (52%) of the top 200 companies listed on the Singapore Exchange (SGX) have yet to implement any necessary email authentication protocols, which leaves their customers, partners, and employees at an increased risk of being targeted by email fraud, domain spoofing, as well as business email compromise (BEC).

This lack of email authentication protocols could explain why Proofpoint’s recently released State of the Phish 2023 report found that 72% of Singaporean organisations experienced at least one successful email-based phishing attack in 2022, with nearly half (46%) reporting direct financial losses as a result.

“Safeguarding sensitive data is paramount in today’s digital world. As email remains the primary communication channel for organisations in this era of hybrid work, it is critical that organisations adopt strict DMARC protocols to prevent financial loss, reputational damage, and erosion of customer trust,” said Phillip Sow, Manager, Systems Engineering, South East Asia and Korea at Proofpoint. “To put it simply, DMARC acts as the ultimate stoplight for email traffic by enabling organisations to identify and block potentially harmful emails before they reach the inbox. Implementing DMARC will make all the difference between keeping your company, clients, and partners safe from supply chain attacks and email fraud or leaving them vulnerable to such threats.”

While Singapore (48%) fares better than the regional average of 40% in terms of having some level of DMARC protocol, the country ranks fourth out of 10 countries1 analysed across the region, lagging Australia (82%), Malaysia (58%), and Indonesia (51%).

“DMARC protection is an ongoing process, not a one-time solution, that requires continuous monitoring and adjustment. By collaborating with a reliable security partner, an organisation can keep its DMARC policies up to date and ensure they are protecting against the latest email threats," concluded Sow.

What is DMARC?

DMARC is an open email authentication protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender's identity before allowing the message to reach its intended recipient. Organisations using a DMARC protocol can implement three levels of policy for unqualified emails attempting to spoof their domains:

  1. Monitor (allows unqualified emails to go to the recipient's inbox or other folders).
  2. Quarantine (directs unqualified emails to go to the junk or spam folder).
  3. Reject (highest level of protection-blocks unqualified emails from getting to the recipient).

The full findings of Proofpoint’s DMARC analysis of the SGX 200 show:

  • 92% of companies currently do not enforce the recommended strictest level of DMARC, while 52% of companies do not have any DMARC record and are wide open to email fraud and domain spoofing attacks.
  • 48% of companies have some form of DMARC adoption in place, though these policy levels differ:
    • 8% have DMARC – Reject in place, the strictest recommended level which blocks unqualified emails from getting to the recipient.
    • 17% have DMARC – Quarantine which directs unqualified emails to go to the recipient's junk or spam folder.
    • 23% have DMARC – Monitor which does not change the way inboxes receive emails, but instead lets senders collect information about their email sources.


About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 75 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.


1Analysis comprised of the top companies from 10 countries, including Australia’s ASX 200, Hong Kong’s HKEX 200, Indonesia’s IDX 200, Japan’s Nikkei 225, Korea’s KOSPI 200, Malaysia’s MYP 210, Philippines PSE 275, Singapore’s SGX 200, Thailand’s SET 200, Vietnam’s HOSE 200.