Email SPOOF Scams and Crimes are so easy, so why are we not protected from SPOOF?

I have been sitting on some research that has perplexed me and whilst discussing next steps with an associate today he recommended reaching out to you.
Email scams can hurt people whether online or combined with offline activities. e.g. using a police email address for gain, a bank email for a phishing expedition  or faking an invoice etc
There is no reason for an email domain to be used anymore in an illegitimate / unauthorized manner ever again. For sometime more than 80% of email users globally have had the ability to be protected from SPOOF scams and crime. DMARC is a free solution that the US, UK, Canada, Portugal and other governments have mandated. 
The research that started in 2016 and concluded in May this year and wasn't really an "aha" moment until the City of Melbourne Parking SCAM where 2 months in a row citizens got scammed and the then Mayor said that the council were covered as they had all of the protection possible in place. I made an assumption they were DMARC safe until I actually checked - if you run their domain through this checker you will see: also run and whatever else - and
So I looked at it objectively and began market research - see attachment summary (it's a release to the Law Firms we are working with in most of the mandated countries. The frightening thing was 23 Councils of approximately 570 around Australia have tried to protect the community from SPOOF but only 1 (I believe by accident) actually does. The top stock exchanges are even worse. 
What was even more of a surprise was Coles and Woolworth's. Between the two of them I would guesstimate they have just about every family on one of their rewards programs (I have check all of their domains again today including and So it was bank time, the most prolific and easiest targets. Notably ( this authentication was sponsored by banks.

This brings me back to the Australian Gov.

During my research (my research and Govt email trail is here) I had a conversation in 2016 with ACMA. I bought to their attention that the July 2016 DSD recommendation for DMARC checking was for inbound email only and ACMA are responsible for outbound as the authentication (DMARC) is a two way provision. I guess it was a yes minister moment. As was the ACCC call June 14 this year.
They run a website called SCAM Watch which at the time advised email could not be assured or protected. I called to make them aware this was factually incorrect. I also made them aware that the ACCC was also not protecting citizens. That day a search was done (we trap NO private data) on and both failing. Perhaps this link may put the defense search in context.
Some final observations: Gmail (Gsuite) and Microsoft have both deployed mechanisms for their customers to implement a DMARC check. That means if used by anyone they can restrict email from reaching them that is not compliant.
The ridiculousness of this is that with the US Government  mandating this standard in effect 2019 (plenty of press via search or here:  it is plausible (unlikely) that The PM's emails won't get through to the President.

Pin It on Pinterest