Comment by Justsignedup

As someone who set these up, I can tell you, the answer is rather simple:

- spammers have 1 system to set up in order to spam. They get it right.

- company admins have dozens of projects, of which this is a tiny one, with zero ROI to the bottom line (if people don't consider how critical security is). So they delay.

- companies often have dozens of systems integrated, when I set up DMARC/DKIM the first time for my company, a bunch of email tools broke, we had to do a bunch of leg work, took us a month end-to-end. The value was recognized when we almost lost 20k to a "ceo emails you" scam. But until then it wasn't a priority.

- we didn't even have a full IT, i just stepped in because I cared enough.

- my current company has a dedicated security team. These holes are plugged VERY quickly.