When we talk about data protection, we usually think of privacy policies, consents or legal requirements. However, many security breaches start in a much simpler way: with an email that looks legitimate and is not, causing phishing breaches.

Coinciding with the anniversary of the entry into force of the General Data Protection Regulation (GDPR), applicable from May 25, 2018, it is worth remembering that protecting personal information also means reinforcing one of the most used channels within any organization: email.

Companies receive dozens – or even hundreds – of emails every day. And cybercriminals know it. According to this, email phishing continues to be one of the most used techniques to deceive employees, customers and suppliers.

Email, one of the main entry doors

The attacker sends a message that appears to be legitimate, impersonating the identity of a brand, a manager, a banking entity or an official body, with the aim of committing financial fraud, distributing ransomware or stealing credentials and identity, among other crimes.

Added to these impacts are reputational damages, as the brand image deteriorates and trust is lost within its ecosystem of customers, suppliers and partners of the supplanted company.

And it is not a threat reserved only for large companies. Any company can become a target.

A recent example took place in May 2026, when the Tax Agency warned about a phishing campaign that impersonated both the AEAT and the Ministry of Finance. The emails demanded an alleged payment for “international tax regularization” through cryptocurrencies, using technical language, institutional appearance and urgent messages to pressure the victims. The AEAT itself had to publicly remind that it does not request payments through wallets or cryptocurrencies.

These types of campaigns demonstrate how phishing has evolved in recent years. It is no longer just about stealing passwords through a fake website, but about provoking immediate actions: making transfers, downloading malicious files or trusting apparently legitimate identities.

Protect the corporate domain to stop spoofing

A key part of protecting corporate email is to strengthen the security of the domain from which messages are sent. To do this, authentication mechanisms such as SPF, DKIM and DMARC are used, which allow us to verify if an email has really been sent from authorized servers and if it has been manipulated or intercepted during its transit.

DMARC, in particular, allows you to define stricter validation policies on the use of the domain, relying on SPF and DKIM to verify the legitimacy of the messages sent. This ensures that only emails from authorized sources can be delivered correctly, reducing the risk of identity theft and domain abuse.

Simply put, SPF defines which servers can send emails on behalf of a domain; DKIM verifies the integrity of the message based on cryptography; and DMARC establishes what sent mail should do when it fails SPF and DKIM validation.

Fran Mollá, Channel Account Manager of Sendmarc at Ontinet.com, explains that “protecting the corporate domain is a key piece within any cybersecurity and corporate brand positioning strategy. It not only prevents identity theft attacks, but also protects the trust of customers, employees and suppliers, making the Internet a safer place for everyone.

Enforcing strict DMARC policies on domains is comparable to protecting a corporate brand with insurance. Just as people purchase home or car insurance as a preventative measure, companies should implement robust DMARC policies on their domains to prevent identity theft and potential reputational damage.

Protecting the corporate domain is a key piece of any cybersecurity strategy

Mollá adds that “the recommendation is to review the correct configuration of the SPF and DKIM protocols in all sources that send mail from our domain, and apply DMARC progressively, that is, escalating towards stricter policies as it is guaranteed that all legitimate and authorized mail is correctly validated. In this way, high deliverability of legitimate mail is ensured, at the same time that mail that does not pass the authentication validations is rejected.”

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.