Local research, June 2026

Southwest Michigan Email Security Report

We audited 435 Southwest Michigan business domains, and 86% of them have no email authentication enforcement. In plain English, that means anyone can send email that looks like it comes from those businesses, and nothing stops it from landing in a customer's inbox.

What does "can be impersonated" actually mean?

Every business domain can publish a DMARC record, a small DNS setting that tells receiving mail servers what to do with email that fails authentication. When it is set to enforce, a forged message claiming to be from your business gets rejected or sent to spam. When it is missing, or set to monitoring only, that forged message sails through to your customer's inbox looking exactly like you. Of the 435 local domains we checked, 270 publish no DMARC record at all and 103 have one that enforces nothing.

The numbers by county

Why this matters for a small business

Email impersonation is the front door for invoice fraud and payment scams. The FBI's Internet Crime Complaint Center calls business email compromise one of the most financially damaging online crimes, and it usually starts with a message that looks like it came from a real, trusted business. On top of that, Google and Yahoo now require senders to authenticate their email, so domains without it increasingly land in spam even when the message is genuine. Both problems share one fix: turn on enforcement.

How we measured this

Every figure here comes from a live DNS lookup of each business domain's published DMARC policy, taken at the latest audit. "No enforcement" means either no DMARC record, or a record set to p=none, which monitors but blocks nothing. Domains we could not read conclusively are excluded from the percentages. This is a point-in-time snapshot of public DNS records, not a claim that any business was breached, and we never name an individual business.