New Report: Over One Quarter of Top U.S. Data Centers Lack Email Security Protections to Block Spoofing Attacks

TL;DR

• Critical Cybersecurity Vulnerability: A new report reveals that 27% of the top 100 U.S. data centers fail to enforce basic email authentication (DMARC), leaving this vital infrastructure highly exposed to domain spoofing and phishing attacks.
• Systemic Infrastructure Risk: These widespread security gaps present a major systemic threat given the immense scale of the sector, which currently encompasses over 4,500 active U.S. facilities and more than 700 additional sites under construction.

# # #

As cyber threats increasingly target critical infrastructure, a new analysis from cybersecurity firm Red Sift exposes major email security weaknesses across the nation’s largest data center operators. Despite powering the U.S. digital economy, more than a quarter (27%) of the top 100 data centers fail to enforce basic email authentication, leaving the door wide open to domain spoofing and phishing.

The review assessed the top 100 U.S. data centers’ use of core protections like DMARC (Domain-based Message Authentication, Reporting, and Conformance), the frontline defense against email impersonation. The findings signal systemic risk:

Key findings:

• 27% lack enforcement: Policies set to “none” or left unconfigured, creating widespread spoofing exposure across critical infrastructure.
• 10% have no DMARC record at all: The highest-risk category, with zero protection against impersonation attacks.
• Just 6% use the key brand standard BIMI: Meaning 94% of data center brands lack visual inbox verification, making it far easier for attackers to mimic trusted senders.

The gaps are especially alarming given the sector’s scale and strategic importance. The U.S. now hosts more than 4,500 active data centers consuming roughly 176 TWh annually, roughly 4.4% of total U.S. electricity with more than 700 additional facilities under construction nationwide. Virginia alone accounts for over 665 sites, underscoring how concentrated and exposed this critical infrastructure backbone has become.

# # #

About the Author

Brian Westnedge leads alliances for Red Sift, an integrated cloud email and brand protection platform that automates BIMI and DMARC processes, making it easy to identify and stop business email compromise, and securing domains from impersonation to prevent attacks. He has worked in the DMARC space since its inception, has 20 years of experience in email deliverability, security and authentication.

The post New Report: Over One Quarter of Top U.S. Data Centers Lack Email Security Protections to Block Spoofing Attacks appeared first on Data Center POST.