Valimail has been tracking and publishing data on DMARC usage since 2017, but this edition of our Email Fraud Landscape series is especially exciting since it’s the first time that the number of domains with DMARC records exceeds one million.
Considering the fact that there are over 366 million domains in existence, that may not seem like a lot, but we’ve whittled down our approach to focus on only legitimate, organizational domains. Unfortunately, the majority of domains are either completely unused or are highly suspicious and likely used for phishing, which is why we’ve chosen to focus on a slightly smaller subset of about 20 million domains tied to legitimate organizations. This allows us to present the most accurate and relevant data on global DMARC usage.
Here are some of the key takeaways from our latest report.
1 million+ domains now use DMARC
As of June 1, 2020, 1.07 million domains have published DMARC records — that’s almost 2.5X growth in under 3 years.
13.9% overall enforcement effectiveness varies across industries
Of these 1.07 million DMARC records, 148,300 (13.9% of the total) have DMARC enforcement policies (p=reject or p=quarantine, with 100% coverage and no exceptions for subdomains).
A DMARC record without an enforcement policy provides valuable visibility into senders using a domain, but if your goal is to stop phishing and impersonation attacks (as it should be), you need to get to enforcement.
While the 1M+ DMARC records are impressive, that doesn’t necessarily translate into a high level of protection. That’s because DMARC only offers protection when it’s paired with enforcement.
The overall average rate of enforcement is quite low, but among large enterprises, we see a much higher rate of enforcement. For instance:
- Among Fortune 500 domains, 30% of the DMARC records are at enforcement, up from 23% a year ago.
- Among large banks, 36% of DMARC records have enforcement, up from 29% a year ago.
- And in the U.S. federal government, 92% of DMARC records are at enforcement
These numbers support an assumption that the more resources a company has to dedicate, the more likely they are to reach enforcement — but that doesn’t always have to be the case.
Enforcing a DMARC policy is notoriously time consuming and complex, since it requires working within two tricky standards, SPF and DKIM, as well as analyzing the ambiguous and often difficult-to-parse DMARC reports that you will get every day from mail gateways around the world. Luckily for companies of all sizes, Valimail now offers its industry-leading visibility and discovery tool DMARC Monitor for free.
DMARC usage and enforcement are growing, and are increasingly recommended or mandated by many organizations and governments. But even if you are in an industry that doesn’t mandate its usage, getting to DMARC enforcement will be beneficial for your organization, especially with exciting new benefits like BIMI becoming available, for which DMARC is a requirement.
Download the full report for all the facts and figures!
Get started on your DMARC journey with a free DMARC Monitor account.