Cloudflare published its 2026 Threat Intelligence Report in March, and the email security chapter deserves more attention than it received in the broader coverage of the report. The headline finding that nation-state actors and cybercriminals are shifting from breaking into systems to simply logging in with stolen credentials is real and well-documented. What got less coverage is how those credentials are being stolen in the first place — and what the authentication data behind 450 million analyzed emails reveals about the state of email security across the internet.
What 450 Million Emails Look Like When You Actually Check
Cloudflare’s security research team analyzed 450 million emails and checked each one against the three core email authentication protocols. The results are a direct measurement of how much of the email ecosystem is running without basic protections in place.
Forty-six percent of those emails failed DMARC authentication. Forty-three percent failed SPF checks. Forty-four percent lacked valid DKIM signatures. These are not fringe cases or spam-folder noise. These are emails traversing production infrastructure, arriving at real inboxes, being read by real recipients.
Separately, Cloudflare found that 18.11% of all inbound mail at Cloudflare-protected mailboxes in Q1 2026 was classified as a spoof attempt — roughly one in every five and a half messages. The overwhelming majority of those spoofing attempts fail when DMARC enforcement is in place. The problem is enforcement: as the EasyDMARC 2026 Adoption Report found, more than half of domains with DMARC records are still sitting at p=none, a policy that monitors but blocks nothing.
The math is uncomfortable. If 18% of email is spoofing attempts, and more than half of DMARC-enabled domains are not blocking anything, the number of spoofed messages actually reaching inboxes is very large.
The Credential Economy Behind the Numbers
Cloudflare’s report frames the broader threat landscape around what it calls the shift from “breaking in” to “logging in.” The data is striking: 63% of all logins observed by Cloudflare involved credentials that were already compromised and available in prior breach datasets. Ninety-four percent of all login attempts originate from bots operating at scale.
This is not a coincidence. Credential theft and email phishing are directly linked. The phishing campaigns detected in email are almost always the upstream cause of the credential theft measured in login attempts. Someone receives a convincing email, enters their username and password on a fake login page, and those credentials join a database that will be used in automated login attempts against every major service that account might touch.
DMARC enforcement disrupts the domain-spoofing path to credential theft — when an attacker cannot convincingly impersonate your domain, the phishing email becomes less effective. But Cloudflare’s report also documents a technique that sidesteps DMARC entirely, and it is growing fast.
The Trusted Infrastructure Problem
Amazon Simple Email Service is built to send authenticated email at scale. It publishes SPF records, signs messages with DKIM, and operates under DMARC policies that pass verification at every major mailbox provider. That is the entire point of the service — reliable, authenticated email delivery.
Cloudflare’s threat intelligence team, along with researchers at Securelist, documented a significant uptick in phishing campaigns in early 2026 that route their messages through Amazon SES. The attackers are not exploiting a vulnerability. They are using the service as designed, having acquired access to it through compromised AWS accounts, purchased access in underground markets, or by creating accounts using stolen identities.
The result: phishing emails arrive at recipients with valid SPF records, valid DKIM signatures, and DMARC results showing pass. Every technical authentication check confirms that the message came from exactly where it says it did — an Amazon SES sending endpoint. The sending domain may be a registered lookalike, a recently purchased aged domain, or even a compromised legitimate domain with its MX and sending configuration redirected. The authentication all checks out.
SendGrid, the other major cloud email delivery platform, has been the subject of similar abuse. Ironscales researchers documented a campaign in 2025 where attackers used compromised SendGrid customer accounts to send phishing at scale, with every message carrying the legitimate authentication headers that SendGrid generates for its customers. The phishing passed SPF, DKIM, and DMARC checks because it was genuinely coming from SendGrid.
The most common lure observed in Amazon SES abuse in early 2026 involved fake electronic signature notifications — emails impersonating DocuSign, Adobe Sign, and similar services, asking recipients to click a link to review and sign a document. Finance departments were targeted with fabricated invoice threads, complete with PDF attachments containing forged payment details. No malicious URLs in the body, no attachments triggering antivirus signatures. Just an authenticated email and a PDF.
Business Email Compromise and the Financial Impact
The Business Email Compromise numbers in Cloudflare’s report put a dollar figure on what these campaigns cost organizations. Cloudflare intercepted over $123 million in BEC financial theft attempts in 2025. The average individual BEC attempt sat at approximately $49,225.
That average is not accidental. Cloudflare’s researchers note it reflects deliberate calibration by the fraudsters operating these campaigns. Wire transfers below $50,000 frequently fall below the threshold that triggers executive-level approval or additional verification requirements. Attackers have studied the approval workflows of their targets and tuned their requests to slip beneath the manual review layer.
The BEC campaigns running through legitimate cloud email infrastructure are particularly effective precisely because they arrive authenticated. A finance employee who checks whether an email “looks legitimate” and sees valid SPF, DKIM, and DMARC status is receiving a false positive signal — the authentication confirms the message came from where it claims, not that the claim itself is honest.
What DMARC Stops and What It Does Not
The data from Cloudflare’s report illustrates both sides of what DMARC enforcement provides.
Against the 18% of email that is spoofing attempts targeting domains with DMARC records at p=quarantine or p=reject, DMARC enforcement works: those messages are blocked or sent to spam before they reach the inbox. That protection is substantial. Domain spoofing is cheap, scalable, and a major component of phishing volume. Eliminating it from the threat surface your recipients face is meaningful protection.
Against the Amazon SES and SendGrid abuse documented in the Cloudflare report, DMARC enforcement at the receiving domain has no effect on whether the message is delivered. The message passes DMARC because it was sent through infrastructure that authenticates correctly. The authentication protocol correctly identifies the message as coming from where it says it came from. The problem is that where it says it came from is a phishing operation using legitimate infrastructure.
This distinction is important to understand because it is sometimes used as an argument against DMARC. It should not be. The appropriate conclusion is that DMARC is a necessary layer of defense that eliminates domain spoofing, and that it needs to be combined with layers that address threats it is not designed to stop.
The Impersonation Target List
Cloudflare’s report identified the brands most frequently impersonated in phishing campaigns observed on its network: Windows, SANS, Microsoft, Stripe, and Facebook led the list. The pattern reflects where attackers expect their targets to have accounts and where credential theft yields the most downstream value.
Microsoft credentials give access to email, SharePoint, Teams, and the full Microsoft 365 environment. Stripe credentials may give access to payment processing. Windows-branded lures typically target employees, with the implication of IT-related urgency driving clicks. The sophistication of the lure varies by target, but the goal is consistent: acquire a username and password that will work somewhere that matters.
Building Defenses That Account for Trusted Infrastructure Abuse
The emergence of trusted-infrastructure phishing does not make DMARC less important. It makes the full security stack more important.
Enforce DMARC at p=reject on your own domain. This eliminates the domain-spoofing attack path entirely. Any phishing campaign that tries to impersonate your domain gets blocked at every receiving mail server running DMARC validation. That covers the majority of volume-based spoofing campaigns.
Use DMARC aggregate reports actively. The aggregate reports generated by your DMARC record are a continuous feed of who is sending mail in your domain’s name. If an attacker has registered a lookalike domain and is spoofing from it, the activity often surfaces in aggregate report data before it is detected anywhere else. This requires actually reading the reports, which is where most organizations fall short.
Recognize that sender authentication and sender identity are different things. Authentication verifies that a message came from where it claims. It does not verify that the sender should be trusted. A phishing email sent through Amazon SES comes from Amazon SES. That is accurate. It does not come from DocuSign. These are different statements, and the second one is where the deception lives.
Apply additional scrutiny to messages from cloud email infrastructure. Some advanced email security platforms now flag messages sent through high-volume cloud delivery services when the sending domain is new, has no reputation history, or does not match the brand being invoked in the message body. This layer of analysis targets exactly the trusted-infrastructure abuse pattern.
BIMI provides recipients with a visual verification anchor. A BIMI-enabled inbox displays the verified logo of a sender who has completed DMARC enforcement and third-party VMC verification. Recipients can see at a glance that a message from your domain came from you. Phishing campaigns that impersonate your brand using a different domain or a cloud email relay do not carry your verified logo, which gives recipients a concrete visual signal that something is wrong.
Train recipients on the specific mechanics of trusted-infrastructure phishing. The primary defense against an attack that passes every technical filter is a recipient who pauses before clicking. Training that focuses specifically on how authenticated phishing works — explaining that a valid authentication result does not mean the email is legitimate — addresses the gap that technical controls leave open.
The Larger Pattern
Cloudflare’s 2026 report documents 230 billion threats blocked per day across its network. Email is one vector among many. But it remains the primary initial access vector for credential theft campaigns that then feed the login-based attack patterns the report emphasizes.
The 450-million-email analysis Cloudflare published is a snapshot of an email ecosystem where nearly half of all messages are either failing authentication or carrying authentication that serves as cover for malicious content. Improving that picture requires both sides of the response: more domains enforcing DMARC to eliminate the spoofing traffic, and more layered detection capability to catch the authenticated phishing that DMARC is not designed to stop.
Neither capability alone is sufficient. Together, they address the two largest categories of email-based threat that Cloudflare’s data documents.
Excello Mail monitors your DMARC authentication posture continuously — aggregate report analysis, source discovery, policy enforcement guidance, and alerting when unusual sending sources appear in your domain’s name. Sign up free at excello.email →