A limited data analysis suggests that many 2026 sponsors lack strict DMARC enforcement despite having basic email authentication in place…
Based on an analysis of public data supplied by sponsor domains* published in February 2026, a cybersecurity firm has shared some findings with the media regarding gaps in email authentication controls among organizations linked to the FIFA World Cup 2026 that could impact readiness against domain impersonation and email fraud risks.
The analysis reviewed 25 corporate domains listed as official sponsors, suppliers, partners, and supporters of the tournament scheduled between June 11 and July 19, 2026.
First, the analysis found that 24 of the 25 domains had published a Domain-based Message Authentication, Reporting and Conformance (DMARC) record at some level, indicating that most organizations in the sample had implemented basic email authentication measures against domain spoofing. Second, 16 domains, representing 64% percent of those analyzed — had applied a DMARC policy configured to “reject”, which is the level that prevents unauthenticated or spoofed messages from being delivered to recipients’ inboxes.
Other findings
Third, nine organizations, accounting for 36% of the analyzed sponsors, had not implemented the “reject” enforcement level and were therefore not proactively blocking spoofed messages attempting to use their domains. Also:
- Eight of the 25 domains (32%) had had DMARC configured for either monitoring mode or partial enforcement, which provided visibility into unauthorized use but did not automatically block suspicious messages.
- One of the analyzed domains had not published a DMARC record at all, according to the data
- The official FIFA domain, by contrast, was listed as having a full DMARC “reject” policy.
According to Jennifer Cheng, Director of Cybersecurity Strategy (Asia Pacific and Japan), Proofpoint, the firm that shared its data findings: “Major global sporting events like the FIFA World Cup create ideal conditions for cybercriminals to exploit excitement, urgency and trust at scale… brands and consumers should be on alert for increased phishing and impersonation attempts in the lead-up to the tournament, particularly as AI-powered tools make these attacks easier to launch and harder to detect. To reduce this risk, businesses need to take proactive steps by strengthening email protections to block fraudulent messages before they reach the inbox and by building employee awareness through phishing simulations and ongoing education.”
*Methodology: The analysis covered 25 primary corporate domains identified on FIFA and Sports Business Journal sponsor listings. DMARC configurations were verified in February 2026 by checking DNS records for the presence and policy level (none, quarantine, or reject). The sample is limited to a limited event‑specific group of sponsors and does not directly measure actual phishing volumes, fraud incidents, or downstream consumer losses, nor does it account for other controls — such as SPF/DKIM, mail transfer agent filtering, or brand‑protection tooling — that may also affect impersonation risk.
Editor’s note: Domain‑spoofing is only one technique within the broader category of email fraud, which also includes lookalike domains, account takeovers, and business‑email compromise.
