Once every quarter, we sit and review the technical and security measures we have taken for our clients and what may prove useful to them with in that realm.  Our CEO took over the administrative tasks for our managed clients long time ago.  It started with simple domain management, and then adding records got added.  Major part of that is the email related records: SPF, DKIM and DMARC.

After a long talk with our CEO, and amongst our security team, we decided to write up a set of email security take aways, to dos, and don’ts for anyone interested.

Key Takeaways

  • Partial Implementation Is the Problem, Not Ignorance: The Gap Is No Longer About Awareness.
  • All Three Required authentication protocols must be implemented: SPF, DKIM, and DMARC must work together as a system.
  • Third-Party Sender Sprawl Is the Most Underestimated Risk
  • DMARC Monitoring Is a Starting Point, Not a Destination
  • Arts Organizations Carry Compounded Risk. Multiple platforms, limited IT resources, legacy systems, and leadership that frames email security as an IT maintenance task rather than a governance issue — that combination makes cultural institutions especially vulnerable.
  • Leadership Has to Own This.

What Organizations Still Get Wrong, and Why Arts Institutions Are Especially Exposed

Email security has reached a strange point in 2026. Most organizations know the vocabulary. They have heard of SPF, DKIM, and DMARC. They know phishing is still a problem. They know impersonation attacks have not gone away. They know inbox providers have become stricter. And yet many organizations are still running email environments that are only partially protected, poorly aligned, or never fully enforced.

For years, organizations could get away with loose configurations and fragmented oversight. An SPF record might be in place, but not maintained. DKIM might be enabled in one platform and missing in another. DMARC might exist, but only in monitoring mode, where it reports problems without stopping any of them. That kind of patchwork approach used to create inconvenience. Today, it creates risk.

Google’s Sender Policy Framework requires all mailers to use SPF or DKIM. Bulk senders must implement SPF, DKIM, and DMARC. Google considers anyone who sends more than 5,000 messages to personal Gmail accounts a bulk sender. It monitors compliance using Postmaster Tools. Yahoo’s sender guidance is similar: bulk senders need to authenticate using SPF, DKIM, and a DMARC policy.
Email is central to almost every critical workflow in an art organization: marketing, sales, billing, customer service, fundraising, HR, operations, and vendor communication all depend on it. Poor authentication impacts deliverability and security. When controls are weak, hackers can impersonate brands, block messages, or damage trust. SPF, DKIM, and DMARC have moved from best practices to essentials for modern email operations.
phishing email is exposed due to good email security

The New Email Reality: Partial Protection No Longer Holds Up

Many leaders believe partial solutions are enough. However, half-measures do not provide real protection and can leave your organization vulnerable. Complete implementation is needed to safeguard operations and reputation.
An SPF record can be published by a company, and the work can be assumed to be done. DKIM may be enabled in Microsoft 365, yet it is absent on other platforms. The DMARC record policy of publication with “p=none” can be mistaken for compliance. These controls do not offer much actual protection when controls are not aligned or are in monitoring mode. Most organizations aim to look good rather than to be effective at eradicating security threats.
A December 2025 expert review showed that organizations are still playing catch-up in email security, and even those with some form of security in place are being reactive rather than taking an active, vigilant stance.  Authentication’s importance is clear due to inbox provider requirements. Half-measures are no longer enough; full implementation is essential.

Why Organizations Still Get Email Security Wrong

The first—and most urgent—reason is sprawl. A vast majority of organizations use multiple email systems. These form the core of their platform: marketing software, CRMs, HR system, invoicing software, event software, support desks, form builders, fundraising system, and vendors. Every tool contributes to the domain’s email footprint and must align with it. They underestimate this until the time they implement DMARC. Only at this point do they see the extent to which their domain is used by multiple systems.
The second failure that warrants urgency: DMARC has not been properly understood. The monitoring mode helps identify unknown senders, misaligned systems, and the breakdown of legacy infrastructure. Monitoring alone is insufficient to prevent abuse or block spoofed messages. Neither does it give receiving systems instructions to quarantine or reject unauthorized mail. It is the same as leaving your door open and putting a camera over it.
A third, pressing danger is technical sloppiness. SPF is still a common cause of simple errors. Domains should have only one valid SPF record, not several conflicting ones. DNS lookup limits mean that adding vendors over time can break validation. This is a frequent cause of authentication failure.
DKIM is also being mishandled in other ways. Organizations may assume it is enabled based on what vendors have said, but the keys may not be published correctly. Selectors may also be old, or the signing domain may not match the visible domain. This can lead to confusion, as you may assume controls are in place when a proper check has not been performed.
There is also the third-party problem,which is one of the primary causes of the failure of mature email environments. The establishment can have a clean domain on the base platform, yet have newsletters, reminders, receipts, event announcements, support updates, and automated transactions sent by the various departments at different times. Unless these platforms are perfectly matched, this gives a way to deliver problems as well as abuse. I am correct in noting that your documents describe third-party alignment as an operational requirement and not a cleanup step.
The last big failure is organizational, not technical. Leadership still frames email security as just IT maintenance. That is why security gets ignored, delayed, or left unfinished. But email authentication is about identity control. It determines whether attackers can convincingly impersonate your organization. This is about governance, not just infrastructure.

What Real Improvement Looks Like

The first step is a complete sender inventory. The inventory must account for every sender—no exceptions. This includes the core mail platform, marketing tools, CRM, support desk, payroll notices, invoicing tools, donor systems, ticketing, event systems, vendors, consultants, and agencies. If a system can send using the domain, put it in the inventory. This is the foundation for all later steps. You cannot enforce safety if half the environment is invisible.
The second step is cleaning up SPF. Organize documents when necessary. Remove stale includes. Check, look up, and verify the record against those of the existing senders. Unless we keep even old-fashioned vendors and forgotten services. The untidy SPF record is not a minor defect. It commonly causes authentication failures and makes troubleshooting difficult.
The third step is validating DKIM for every legitimate sender. Publish public keys correctly. Selectors must match the format used by the sending platform. The signing domain should support DMARC alignment. Test this with real results, not just by trusting admin toggles.
The fourth step is to move DMARC from visibility to enforcement. Do not set “p=reject” immediately. Instead, use reports to find legitimate senders, fix alignment, retire or re-authorize older systems, and move through policy stages. Only tolerate unauthorized mail until enforcement is ready. This is when email authentication becomes real protection.
The fifth step is ongoing oversight. Email environments change. Teams add new tools. Vendors update or leave. Campaigns launch. Consultants get access. Old systems may still linger. Google’s guidance even offers compliance dashboards for senders, since controls must be maintained. Your notes agree: automation and visibility matter because changes happen faster than most teams document them.
Once the basics are set, organizations can add BIMI (Brand Indicators for Message Identification). Yahoo points out that BIMI should be seen as a result of strong authentication, not its replacement. BIMI lets authenticated brands display their logos in supported inboxes. But it depends on DMARC and strong identity control. It is a layer of visual trust that sits atop the technical foundation.

Why Arts Organizations Are More Exposed Than They Think

Arts organizations are at higher risk because, while handling sensitive data and essential workflows, they often do not treat email security as a core governance matter. The combination of multiple platforms, resource constraints, and misplaced trust makes their vulnerability very real and acute. This underlines why closing the gap between knowing and doing is both urgent and essential in these institutions.
Cultural organizations are not exempt because they are mission-driven or nonprofit. They are vulnerable because they have limited resources, use legacy systems, and rely on misplaced trust. A strong example is the Miniatur Wunderland incident in Hamburg. Cybernews reported in November 2025 that the museum disclosed a cyberattack tied to its online ticket shop. The cyber attack resulted from a phishing email, and according to the report, attackers may have accessed credit card data entered for online orders placed between June 6 and October 29, 2025, after the order page was allegedly compromised and data may have been transmitted to a separate server. The museum warned affected visitors that misuse of the exposed data could lead to unauthorized card transactions or identity theft.
That example matters because it shows how cyber risk in the arts often appears through ordinary public-facing systems, not just in dramatic ransomware headlines. Ticketing, online booking, donor transactions, event communication, and audience messaging all sit close to revenue and trust. Once an institution has a breach, payment incident, or public disclosure event, a weak email environment becomes even more dangerous. A fake follow-up notice, spoofed support response, fraudulent donation appeal, or false payment update becomes more believable precisely because the institution has already been associated with a real incident.
This is the part arts organizations cannot afford to miss. Email authentication is not only about deliverability. It is about whether audiences, patrons, donors, vendors, and staff can trust the messages that arrive under the institution’s name.

What Arts Institutions Need To Do Now

First, leadership needs to own the issue. Not necessarily by handling DNS directly, but by treating email security as a strategic responsibility. Someone at the leadership level should know what domains are active, which systems send from them, what the DMARC posture looks like, and what the enforcement roadmap is. If no one in leadership can answer those questions, the institution is taking on blind risk.
Second, arts organizations need a full sending audit throughout departments. Fundraising, marketing, development, ticketing, education, finance, HR, membership, patron services, and outside consultants must all be included. In many institutions, the biggest risks are not hidden because they are sophisticated. They are hidden because no one pulled all the systems into a single map.
Third, they need to separate critical mail streams operationally. Transactional email, donor development, marketing campaigns, event reminders, finance workflows, and internal administrative communications should not all blur together. The clearer the boundaries, the easier it is to align senders, troubleshoot failures, and minimize damage when something breaks.
Fourth, they need to protect subdomains and campaign domains with the same seriousness as the primary domain. Seasonal campaigns, support addresses, event microsites, and fundraising subdomains still carry the institution’s brand authority. If they are left loosely governed, they become easy targets for spoofing and abuse. Your notes correctly identify neglected subdomains as one of the easiest attack zones to miss.
Fifth, they need to move beyond permanent observation. Monitoring is an ongoing process, not a final stop. Once legitimate senders are aligned, enforcement must follow. That is the point where the institution stops merely watching abuse and starts reducing it.
And finally, arts organizations need process discipline alongside technical controls. CISA’s guidance continues to recommend SPF, DKIM, and DMARC to reduce phishing and spoofing risk, but it also stresses broader anti-phishing discipline. That matters because even a well-authenticated domain still exists inside a world of social engineering, payment fraud, and human error. Staff handling donor relations, finance, payroll, vendor changes, and executive requests should never rely solely on email trust.

Conclusion: The Choice in Front of Organizations Now

Email authentication in 2026 is not a technical debate. The standards are settled, the requirements are published, and the consequences of ignoring them are documented. Most organizations are aware of these standards, but they just have not approached it properly.  SPF without DKIM, DMARC stuck in monitoring mode, third-party senders going unnoticed: these half-measures create the illusion of security while leaving domains wide open to spoofing and impersonation.
Art and cultural organizations are at even greater risk, as they have many platforms, operate with limited resources, and rarely consider email security a major concern. A partial implementation of standards is doomed to fail.
The institutions that treat email security as a finished IT project will keep absorbing the cost of deliverability failures, impersonation risk, patron confusion, and the compounding reputational damage that follows a spoofing incident or public breach disclosure.
The organizations that treat it as an ongoing governance responsibility — mapping every sender, enforcing policy, auditing subdomains, and keeping leadership informed — will protect something that takes years to build and very little time to lose.
Patron trust is the operating currency of every arts organization. Email is one of the primary channels through which that trust is either reinforced or eroded. The technical controls exist. The path forward is clear.
The only question left is whether the institution follows through.