76 percent of inboxes worldwide now enforce email authentication — if senders enable it

Note: This post is being jointly published by the Global Cyber Alliance and Valimail. 

Support for email authentication among the world’s ISPs has surged significantly in the past two years, new data shows. 

Email authentication, if enabled by both senders and receivers, is a powerful tool in stopping the growing phishing crisis. Ninety-one percent of cyberattacks start with a phishing email, according to PhishMe, making it by far the preferred starting point for hacks of all types. Additionally, business email compromise scams (email impersonation attacks) have cost businesses $5.3 billion since 2013, according to the Federal Bureau of Investigation. The majority of such attacks use direct spoofing (impersonating the sender).

Email authentication through the DMARC standard prevents this, by giving domain owners the power to specify who is allowed to use their domain names in the From field of email messages. Non-authorized senders will fail the authentication checks performed by ISPs receiving email messages, thus protecting recipients from phish, hack attempts, and spam, and protecting domain owners from brand-damaging impersonations.

About 4.8 billion inboxes now support email authentication through DMARC, representing 76 percent of the current total number of worldwide email accounts (6.3 billion, according to Radicati’s 2017 Email Statistics Report).

The new total of ISPs is a dramatic increase from the 2.7 billion inboxes protected by DMARC support in 2015, representing 62 percent of the then-total number of inboxes (4.3 billion).

To put it another way, in the past two years the number of inboxes enforcing email authentication policies has grown by 2.1 billion.

“DMARC support” means that the ISPs will determine if a sending organization has a DMARC policy in place, and enforce “quarantine” or “reject” policies, if domain owners have specified them. These ISPs will not deliver messages that fail authentication. Note that if domain owners have specified a policy of “none,” message delivery will not be affected, even for messages failing authentication, and receiving mail servers will only send reports if requested by the sending domain owners.

With such widespread support, DMARC at enforcement is a potent, globally-effective tool for preventing the most common and most pernicious kinds of phishing attacks: Same-domain impersonation.

The recent growth in DMARC support is largely attributable to several large Chinese ISPs, including Netease and Tencent, enabling enforcement within the past 18 months.

The list of email account providers supporting DMARC enforcement now includes most of the major global ISPs, including Gmail, Oath, Microsoft, Tencent, Mail.ru, Comcast, AT&T, British Telecom, Virgin Media, and Italia Online.

Country-by-country DMARC support remains variable, with support well over 80 percent in some countries, such as the U.S., U.K., Brazil, Mexico, and Canada; while it lags in a few countries, such as Germany and Japan. However, the overall picture is clear: The vast majority of ISPs around the world will enforce email authentication for those domains that have published a DMARC record and set it to enforcement.

About the study: Valimail examined millions of DMARC aggregate reports from ISPs around the world over a two-year timespan to determine which ISPs were reporting having taken enforcement actions.

ISP subscriber counts were taken from a variety of published sources, including the ISPs’ own annual reports.

Note that the totals for DMARC support include primarily ISPs, not enterprise mail servers or secure email gateways (SEGs) except when those are provided as services by ISPs. For instance, Gmail is the email provider for Google’s G Suite, and Google includes G Suite subscribers in its total number of Gmail users. One exception: The total does include Microsoft Office 365, both enterprise and consumer editions.

Enterprise mail servers are included in Radicati’s total number of worldwide email accounts, so the percentage of global inboxes supporting DMARC is probably higher than 76 percent.

See here for the GCA’s version of this blog post.