New Report: Over One Quarter Of Top U.S. Data Centers Lack Email Security Protections To Block Spoofing Attacks

As cyber threats increasingly target critical infrastructure, a new analysis from cybersecurity firm Red Sift reveals significant email security gaps among the largest data center operators in the United States. Despite underpinning the nation’s digital economy, an alarming 27% of the top 100 U.S. data centers lack effective email authentication enforcement, leaving them vulnerable to domain spoofing and phishing attacks.

The review examined the top 100 U.S. data centers, analyzing their implementation of key email security standards such as DMARC (Domain-based Message Authentication, Reporting, and Conformance), which is designed to prevent attackers from impersonating trusted domains.

Key findings include:

• 27% of data centers operate with weak or no enforcement (email security policies set to “none” or not configured), creating a major spoofing vulnerability across critical infrastructure.
• 10% of analyzed organizations have no DMARC record at all, representing the highest-risk category for impersonation-based attacks.
• BIMI adoption remains extremely low at just 6%, meaning 94% of data center brands lack visual verification in inboxes, significantly increasing the risk of brand impersonation.

These gaps are especially concerning given the sector’s scale and importance. The United States is home to more than 4,500 active data centers consuming approximately 176 TWh of electricity annually, about 4.4% of total U.S. power use,  with over 700 additional facilities under construction across 38 states. Virginia leads the nation with more than 665 facilities, followed by Texas and California.

The findings underscore an urgent need for stronger baseline protections across the sector. Even as data center capacity rapidly expands to meet rising demand from AI and digital services, email security remains an overlooked but critical vulnerability layer, with attackers increasingly exploiting trusted infrastructure domains to gain footholds across interconnected systems. As the backbone of cloud computing, AI, financial systems, and national security infrastructure, data centers represent high-value targets for cybercriminals. Weak email authentication leaves operators, partners, and customers exposed to phishing, business email compromise (BEC), and supply chain attacks that can disrupt operations or compromise sensitive data flows.