Peak summer travel season is underway. Hundreds of millions of travelers will book flights, check confirmations, respond to upgrade offers, and receive baggage notifications over the coming weeks. Every one of those emails is a surface that attackers can exploit – and the airline industry has done less to protect that surface than almost any other major sector.
Proofpoint’s analysis of the 296 member airlines of the International Air Transport Association (IATA) found that 61 percent have no published DMARC record at all – the foundational DNS record that lets receiving mail servers verify whether an email claiming to come from an airline’s domain was actually sent by that airline.
The enforcement picture is worse. Of the airlines that do have a DMARC record, most have set their policy to p=none, which instructs receiving servers to take no action on unauthorized mail and merely report it. At the strictest enforcement level, p=reject, only 7 percent of global airlines are actively blocking fraudulent emails from reaching passengers’ inboxes. 93 percent are not.
What an Attacker Can Do With an Unenforced Domain
When an airline domain lacks DMARC enforcement, an attacker can send an email that appears to come from that airline’s exact address and it will pass directly into the recipient’s inbox – indistinguishable from a genuine communication.
The attack scenarios are specific and high-value:
Fake booking confirmations. After a traveler books a real flight, an attacker can send a spoofed “payment failed” or “booking requires confirmation” message from the airline’s domain. The traveler, expecting email from that carrier, clicks through and provides payment credentials to a fraudulent site.
Fraudulent cancellation notices. Spoofed cancellation or rebooking emails create urgency that drives travelers to act quickly, often without verifying the source. These messages are especially effective during peak travel periods, when flight changes are common and travelers are anxious about disruption.
Loyalty program theft. Frequent flyer accounts are high-value targets. Spoofed “verify your account” or “unusual activity detected” emails from airline domains are used to capture credentials and drain accumulated miles.
Ancillary upsells. Travelers are accustomed to receiving seat upgrade and early boarding offers from airlines. A spoofed email offering a paid upgrade is difficult to distinguish from a legitimate communication when it arrives from the airline’s actual sending domain.
The Regional Breakdown
The Proofpoint analysis found that DMARC enforcement gaps exist across every region, but the severity varies considerably.
China and North Asia has the lowest DMARC adoption among IATA member regions: 85 percent of carriers in that region have no DMARC record at all, and 100 percent have not implemented p=reject – meaning zero airlines in that region are actively blocking fraudulent email sent in their name.
Europe and Middle East & Africa each have 93 percent of carriers without p=reject enforcement. APAC and The Americas are marginally better at 89 percent without enforcement – though “marginally better” is a difficult term to use when the figure still means the overwhelming majority of airlines in those regions are not protecting their domains at the strictest level.
One detail worth noting: IATA itself – the industry organization – has implemented a full p=reject policy. The association whose members collectively represent 82 percent of global air traffic has the right protection in place. Its members, as a group, do not.
The Summer Context Is Not Incidental
Airlines send more email during peak travel season than at any other time of year. Booking volumes are elevated. Flight change notifications are frequent. Travelers are receiving communications from multiple carriers, hotels, car rental companies, and insurance providers simultaneously – creating exactly the noisy environment in which a spoofed email is hardest to spot.
Researchers tracking travel-related fraud documented a 340 percent surge in vacation booking fraud in 2026. Survey data found that 38 percent of travelers say they have encountered a travel-related scam – and of those who did, 41 percent lost money, with nearly half losing $500 or more.
The FBI issued a dedicated summer 2026 travel fraud warning specifically citing spoofed airline and hotel booking confirmation emails as the primary delivery mechanism for travel-related phishing campaigns. The mechanism the FBI describes – receiving an email that appears to come from an airline, containing a link to a fraudulent payment or verification page – is exactly what DMARC enforcement at p=reject is designed to prevent at the server level.
Why Airlines Specifically Struggle With DMARC
Airlines operate some of the most complex email sending environments of any industry. A major carrier typically has dozens of authorized senders: the core reservation and loyalty platform, third-party flight status notification services, co-branded credit card communications, travel agency partner mailings, and operational alerts from codeshare partner carriers.
This complexity makes the SPF alignment and DKIM signing that DMARC requires harder to deploy correctly across every authorized sender. A major airline’s SPF record is often already close to the 10-lookup limit, and ensuring every sending system has properly configured DKIM requires coordinated effort across multiple vendor relationships simultaneously.
That complexity is a real challenge for enforcement. It does not explain the 61 percent of airlines that have no DMARC record at all.
A p=none policy – the starting point that provides reporting without affecting mail flow – requires a single DNS TXT record and zero changes to existing email infrastructure. Publishing p=none turns a domain from invisible to monitored. It does not block any mail. It does not require coordination with every ESP or notification vendor. It is the minimal step, and nearly two-thirds of IATA member airlines have not taken it.
DMARC as Passenger Protection
Most DMARC discussions frame the standard from the domain owner’s perspective: it prevents your domain from being used to attack others. That framing is accurate but incomplete.
For travelers, DMARC enforcement at p=reject on the airline’s domain means that a spoofed booking confirmation cannot reach them – not because their mail client flagged it, but because the receiving server rejected it at the SMTP level before it entered their inbox. The protection operates upstream of the recipient entirely.
When an airline does not enforce DMARC, that protection does not exist. Whether a message claiming to come from the airline is genuine or fraudulent is a question the receiving mail server cannot authoritatively answer. Fraudsters who understand DMARC enforcement patterns target the unenforced domains precisely because the absence of a p=reject policy guarantees their spoofed messages a clear path to the inbox.
The 93 percent figure is not an industry in progress toward protection. It is an industry that has, in the aggregate, not yet decided that protecting the email channel used by its customers is a priority. Summer travel season is the period when the cost of that decision falls most directly on passengers.
Ready to protect your sending domain the way your airline should? Excello Mail makes DMARC monitoring and enforcement straightforward – from the first DNS record to full p=reject. Sign up for free to Excello Mail and see exactly what is sending in your domain’s name.