As UAE residents move to book deferred travel plans and international visitors return to the region, new research from cybersecurity firm Proofpoint shows the country’s online travel sector has made measurable progress on email fraud protection – while leaving a significant gap.
DMARC adoption among the UAE’s top 20 online travel sites rose to 95% in 2026, up from 85% in 2025. DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is the technical standard that governs whether fraudulent emails impersonating a brand are allowed to reach a customer’s inbox at all.
The distinction that matters, however, is enforcement level. At its strictest “reject” setting, DMARC actively blocks spoofed emails before delivery. Only 45% of the UAE’s top travel platforms currently operate at reject level, meaning 55% have a DMARC record in place but have not yet activated the setting that provides full protection. Staff, customers, and partners of those platforms remain exposed to receiving emails that convincingly impersonate the brand.
Proofpoint conducted its analysis in May 2026 across sites identified using SEMrush traffic data from March 2026.
“The UAE travel sector has shown real resilience this year, and it is encouraging to see that extending to how brands protect their customers online. As travelers return and booking confidence rebuilds, the industry has a clear responsibility to ensure that trust is not undermined by fraud carried out in its name. The progress is real, but moving to reject- level enforcement remains the most direct action a travel brand can take to protect its customers and its reputation at the same time,” Kenan Abu Ltaif, Regional Lead, Middle East and Turkey at Proofpoint said in a statement.
The findings arrive during a period of elevated booking activity. With UAE airspace fully restored following earlier regional disruption, travel demand has picked up sharply, and the volume of online transactions that typically accompanies a summer booking surge creates a larger target for email-based fraud campaigns.
For travelers, Proofpoint recommends a set of practical precautions: enabling multi-factor authentication on booking accounts, booking only through official websites or verified agents, treating unsolicited flight-change alerts and payment requests with caution, and navigating directly to brand websites rather than following links in emails.
