Half of Major News Organizations Are Still Spoofable by Email
A spoofed email appearing to come from Reuters, CNN, or the New York Times is one of the highest-trust phishing assets available. Journalists, sources, PR contacts, and readers trust email from major news organizations by reflex. 14 of the 30 outlets we checked either have no DMARC, sit at p=none, or are at p=quarantine. Their sending domain can be impersonated right now.
The numbers
We checked 30 major news outlets in May 2026:
- 83% have a DMARC record (25/30)
- 53% at
p=reject(16/30) - 17% at
p=quarantine, partial enforcement (5/30) - 13% at
p=none, monitoring only, spoofed mail delivered (4/30) - 3% no DMARC record at all (1/30)
- 13% DNS timeout, inconclusive (4/30)
46.7% of the news outlets in this study aren't fully protecting their sending domain, well behind the broader DMARC adoption numbers we track across industries.
Who isn't enforcing
At p=quarantine: Wall Street Journal, Bloomberg (pct=25, meaning only 25% of failing messages are quarantined), The Economist, BuzzFeed News, Politico
At p=none: NBC News, CBS News, MSNBC, Hacker News (Y Combinator)
No DMARC record: ABC News (abcnews.go.com)
DNS timeout (inconclusive): New York Times, BBC, Forbes, The Verge
NBC News, CBS News, and MSNBC sharing the same enforcement status is worth noting: all three are NBCUniversal properties likely running on shared email infrastructure that hasn't been pushed through to p=reject. Three major broadcast networks, one unresolved sending platform.
Bloomberg's pct=25 means Bloomberg's DMARC policy only applies to 25% of failing messages. Three-quarters of spoofed Bloomberg email bypasses the policy entirely. For a financial news outlet whose reporting moves markets, that's a significant gap.
ABC News has no DMARC record at all on abcnews.go.com. Not p=none, not partial enforcement. No record..
Why news organization domains are high-value targets
Journalist impersonation. A phishing email appearing to come from an investigative journalist at a major outlet is credible to sources, executives, and government contacts. "I'm working on a story about your organization and wanted to reach out" is a standard opening. If the email comes from a domain at p=none, it will be delivered.
Reader trust at scale. News organizations send high volumes of newsletter and breaking-news email. Their subscribers are conditioned to open and click. Spoofed "breaking news alert" or "account security notice" emails from recognizable mastheads get high engagement because the brand has trained the behavior.
Disinformation. State actors and influence operations have clear incentive to impersonate credible news sources for targeted phishing against officials, journalists, and activists.
Why news media lags
News organizations have some of the most complex email infrastructure of any category. Editorial, marketing, newsletters, breaking news alerts, subscription management, paywalls, and partner syndication are all separate systems. Many major outlets absorbed dozens of publications with their own domains and sending setups through acquisitions. Central IT doesn't always control what the newsletters team does.
There's also no regulatory pressure equivalent to financial services. No media equivalent of PCI DSS asks whether CNN's sending domain can be spoofed.
The newsletter angle is worth noting: media companies that cover cybersecurity routinely report on phishing and email fraud without having enforced DMARC on their own domains. The coverage and the practice aren't always aligned.
What recipients can do
There isn't much. If an email comes from a domain at p=none and looks legitimate, receiving mail servers deliver it. The email authentication checker can tell you whether any domain you're about to receive email from is enforcing DMARC. If it isn't, the domain can be impersonated. If you run a domain yourself and want to know how exposed it is, our domain spoofability score grades exactly that, and is my domain being spoofed? walks through the warning signs.
Full media outlet results are at the DMARC adoption research page. The email authentication checker shows whether any publication's domain is enforcing.
