Nine days before the FIFA World Cup 2026 kicks off across the United States, Canada, and Mexico, a Proofpoint analysis has found that more than one-third of the tournament’s official partners do not have the email security controls in place to stop criminals from sending fraudulent email that impersonates their brands.
The finding matters far beyond football. The brands associated with this World Cup span airlines, automotive groups, financial infrastructure, energy companies, consumer goods giants, and technology providers. Collectively they send billions of legitimate emails to hundreds of millions of consumers and business partners. Where those domains are not fully protected, every one of those recipients becomes a potential target for a spoofed message designed to look exactly like the real thing.
What Proofpoint Found
Proofpoint analyzed the primary domains of 25 official FIFA World Cup 2026 sponsors, suppliers, partners, and supporters, looking at the DMARC records published in DNS. The results divide cleanly into three tiers.
64% of partner domains (16 of 25) have published a DMARC policy of p=reject. That is the only configuration that actively prevents spoofed email from reaching inboxes. When p=reject is enforced, a message claiming to come from that domain but failing authentication checks is rejected at the receiving mail server before it is ever delivered.
32% of partner domains (8 of 25) are operating at p=none or p=quarantine. These configurations allow visibility into authentication failures through aggregate reporting, but neither stops a spoofed message from being delivered in the way that p=reject does. p=none provides zero enforcement; p=quarantine routes failing messages to the spam folder in theory, but delivery behavior varies significantly across mail providers and the protection is far weaker than rejection.
At least one domain among the 25 analyzed had no DMARC record at all, meaning it published no authentication policy of any kind.
FIFA’s own domain carries a full p=reject policy. The tournament organizer has the strongest possible protection in place. The gap is concentrated among partners, the very brands whose names and logos consumers are most likely to encounter in ticketing, travel, and merchandise contexts throughout the tournament.
Why Major Sporting Events Are a Phishing Amplifier
Cybercriminals follow attention. A tournament that draws billions of viewers, generates hundreds of millions of ticket inquiries, hotel bookings, airline searches, merchandise purchases, and fan zone registrations provides an ideal backdrop for email fraud. Consumers and businesses are expecting email from sponsors and partners during a World Cup cycle. That expectation is the attack surface.
KnowBe4 researchers tracking World Cup-adjacent phishing infrastructure have already identified at least 79 sites impersonating the official FIFA web presence. Those sites are the destination; the emails from spoofed partner domains are the delivery mechanism.
The pattern is not new. Proofpoint and others ran equivalent analyses ahead of the Qatar 2022 World Cup and the Paris 2024 Olympics. In each case, a significant fraction of official partner domains lacked full DMARC enforcement, and in each tournament cycle, phishing campaigns exploiting those gaps ran at scale. The question for the 2026 cycle is not whether this will happen, it is whether partners close the gap before June 11 or leave it open for the duration of the tournament.
The Anatomy of a World Cup Email Attack
Consider what an attacker can do with a partner domain sitting at p=none.
A brand holding an official FIFA hospitality package sends confirmation emails to clients attending matches. An attacker spoofs that brand’s domain, drafting a message that matches the visual style and tone of the authentic hospitality communications, and sends it to a list of high-value business contacts. The message contains a link to a lookalike site that harvests credentials or payment card details. Because p=none places no restriction on who can send using that domain, the spoofed message passes through receiving mail servers without authentication checks intervening.
Or consider the consumer-facing version: a sponsor offers a World Cup ticket promotion. An attacker clones the landing page, spoofs the sponsor’s domain in the From: header, and runs a mass campaign targeting fans who expressed interest in tickets. Tens of thousands of people receive a message that looks exactly like a legitimate promotion from a brand they recognize and trust.
Neither attack requires the attacker to compromise anything inside the target organization. The authentication gap in DNS is sufficient. And because neither the brand nor the consumer has any visibility into the spoofed traffic, campaigns can run for days or weeks before the pattern becomes apparent.
The 36% That Still Have Time to Act
The World Cup begins June 11. The gap between now and the opening match is real but narrow, and moving from an unprotected or partially protected configuration to p=reject on short timelines requires focused effort.
Organizations currently at p=none can begin by ensuring DMARC aggregate reports are being collected and reviewed. The RUA reports generated from an existing p=none policy show every source sending as the domain and the authentication result for each. That visibility is the prerequisite for enforcement. Without it, moving to p=quarantine or p=reject risks rejecting or quarantining legitimate email from sources that were never identified.
Partners who have already been collecting RUA data but have not moved to p=reject are typically blocked by one of three things: an unauthenticated third-party sender that has not been configured for DKIM, an SPF record that does not cover all sending infrastructure, or a legacy platform that requires a subdomain strategy rather than policy changes on the primary domain.
None of these blockers are insurmountable within a nine-day window for organizations with an existing DMARC monitoring baseline. The risk of leaving the gap open through a sixty-eight-day tournament that generates the scale of email traffic a World Cup drives is considerably larger than the short-term disruption risk of closing it.
DMARC Gaps in Event-Adjacent Domains Are a Structural Problem
The Proofpoint analysis covers official partners. The wider ecosystem of tournament-adjacent brands is considerably larger, and the dynamics of major event email security apply to every company that consumers associate with the competition.
Travel booking platforms, accommodation providers, merchandise resellers, media rights holders, betting operators, and the hundreds of brands that run World Cup themed campaigns in the weeks surrounding the tournament all become potential spoofing targets. A consumer who receives a message purporting to be from an airline offering World Cup travel deals or a betting company offering a free-bet promotion has no reliable way to distinguish a spoofed message from a legitimate one without DMARC enforcement on the sending domain.
The structural point that the FIFA partner analysis illustrates is simple: DMARC enforcement is not a complex or expensive control. It requires a DNS record. The challenge is not the technology. It is the operational discipline to identify every legitimate sending source, authenticate each one, and progress through monitoring to enforcement rather than stopping at p=none indefinitely.
When the brands most visible during the world’s largest sporting event do not apply that discipline to their own domains, they effectively invite criminals to use their reputations as attack infrastructure. The cost lands not on the brand’s email stack but on the fans and customers who trust them.
Your domain’s authentication posture is a DNS record away from clarity. Excello Mail reads your DMARC aggregate reports, maps every sending source against your SPF and DKIM alignment, and shows you exactly what stands between you and p=reject enforcement. Sign up free to Excello Mail and see your full authentication picture before the next campaign goes out.