We scanned 26k nonprofit domains. 3 in 4 can be spoofed.

Enforcement is the only state that blocks forged mail at the receiving server. p=quarantine and p=reject are the two policies that meet that bar. Across the global nonprofit cohort, the combined enforcement rate sits at 24.5%. The remaining 75.5% of domains sit in one of two states: they have published p=none and are collecting reports they do not act on, or they have not published any DMARC record at all. Neither state protects a donor, a grant officer, or a volunteer coordinator from a spoofed message bearing the charity’s name. The enforcement gap is not a reporting artefact. It is the binding constraint on the sector’s email posture.

The UK nonprofit cohort operates at a materially higher posture than its peers. 17.1% of UK charities publish p=reject and a further 19.1% publish p=quarantine, for a combined enforcement rate of 36.2%. Only 29.8% of UK nonprofits lack a DMARC record. The reasons are institutional: the .org.uk namespace carries longstanding registrar guidance, Jisc-adjacent infrastructure serves a portion of the sector, and several large UK charities operate inside the same procurement channels as the public-sector leader cohort documented in the UK country report. The US nonprofit cohort averages 42.3 at a larger sample of 2,305 domains. Enforcement there runs at 28.6% combined, with missing DMARC at 38.0%. The Kenya nonprofit cohort, by contrast, averages 21.7. Only 8.7% of Kenyan charities enforce. 77.7% lack DMARC entirely. The gap between UK and Kenya nonprofits, 28 points on average score, is as wide as any cross-country gap we have observed inside a single sector.

Because our methodology relies exclusively on public DNS record retrieval, we cannot observe raw email volume, fraud attempts, or successful grant diversions. What we can observe is that the cohort most dependent on recurring donor communication is also the cohort with the weakest perimeter. When a nonprofit’s domain accepts no inbound authentication check, a spoofed donation appeal delivered to the charity’s existing supporter base is not distinguishable from a legitimate one at the receiving server. The consequence is direct. Grant-funding fraud, supporter-list phishing, and brand impersonation in the context of a natural disaster or a public fundraising campaign all exploit the same configuration gap. For a sector whose product is mission trust, the unauthenticated email channel is a structural liability.

The top of the distribution tells a different story. The highest-scoring nonprofits in our dataset cluster around 90 to 95 and span the UK (Teach First, Parkinson’s UK, British Cycling, Climate Change Committee), the United States (AGC, CSS Working Group), Australia (UNICEF Australia), and the Netherlands (Disroot). These are not outliers tied to a single country’s regulation. They are charities that have chosen to treat email authentication as a baseline operational control in the same way they treat financial reporting or safeguarding policy. Enforcement maturity at the top of the nonprofit sector is effectively country-agnostic. The median, however, is not. The binding constraint on global nonprofit email security is therefore not the leader cohort. It is the long tail of small and medium charities, in every country, that have not yet deployed the baseline at all.