DMARC tags explained: What you need to know [Infographic]
We’ve talked about the only three tags you really need to successfully deploy a DMARC record, but what about the other seven? In this infographic, we cover the hard and fast rules to creating a valid DMARC…
Introducing Valimail Defend: A definitive defense against untrusted emailing domains
Valimail Defend blocks untrusted-domain attacks like this one. This month, Valimail announced;the general availability of our third major email protection product, Valimail Defend™, which protects against lookalike-domain and friendly-from phishing attacks.. Valimail Defend joins Valimail’s suite…
Five more myths of email authentication
As I wrote in my last blog post, email is a legacy technology with a lot of accumulated “technical debt” and standards limitations, and there aren’t many true email experts who understand the full set of…
Five myths of email authentication
Email is one of the most vulnerable points in an enterprise’s cyber defenses. Multiple studies (from Proofpoint, Verizon, and others) have shown that over 90% of all cyberattacks start with email-based phishing. An anti-impersonation defense…
Global fight against fake email intensifies
Fake email is at the heart of cybersecurity risk — yet many companies are still not using well documented and open standards-based technologies that could protect themselves. A quick look at the stats will reveal…
What you need to know about DNS Flag Day
You may have seen some news about DNS flag day, which is February 1, 2019. So what is DNS flag day? DNS flag day is a change in DNS behavior that the major providers of DNS…
We’re celebrating Data Privacy Day with zero PII
In support of Data Privacy Day, I’d like to share Valimail’s position on personally identifiable information (PII). Our products, unlike many others, are designed to not be dependent on PII. We do not need (or want)…
Fake email leads the list of cybercrimes to watch out for this holiday
Everyone knows Black Friday is the hottest day of the year for shopping, but not many realize that it’s popular for hackers, too. In fact, Valimail data shows that, while you’re busy shopping, email scammers…
Email is far from dead. In fact, it’s bigger than ever.
Lots of pundits have been talking about the “death of email,” but let’s get real. Email keeps growing, and we all keep using it. It is an unmatched, critical communications tool for business on all…
Is that email real or fake? Survey shows most can’t tell the difference
Lots of pundits have been talking about the “death of email,” but let’s get real. Email keeps growing, and we all keep using it. It is an unmatched, critical communications tool for business on all…
How to prevent payroll diversion scams
Don’t let payroll scams phish your paycheck away! Business email compromise (BEC) comes in many varieties. You’ve probably heard about BEC in the form of executive impersonation attacks, resulting in wrongful corporate wire transfers or W-2s…
Federal compliance with email authentication directive continues to grow
The deadline for compliance is past, but the number of federal domains protecting themselves against email impersonation continues to grow. As of this week, 57 percent of all federal domains are protected by strict DMARC policies in…
Trust but verify: Untangling the web of third-party senders & DMARC
DMARC presents a host of hurdles for companies implementing it themselves. If you can navigate the first step of the enforcement process (parsing XML data from aggregate reports; translating IP addresses to sender names; and…
What’s your industry’s email fraud protection rate?
Valimail regularly queries many millions of domains for the presence of published DMARC and SPF records, and performs detailed analysis on any records that we find.
For our recent Q2 2018 Email Fraud Landscape, we examined the DMARC records published by thousands of companies in 11 different categories. For most of these categories we have data from three successive quarters, which provides a revealing window not only on how these industries compare to one another, but also how they are changing over time.
First, the good news: The use of DMARC is increasing rapidly across the board. Data from Farsight shows that the number of published DMARC records tripled over the course of 2017, and Valimail has seen correspondingly rapid growth in DMARC usage; across many categories.
DMARC failure rates are high
However, publishing a DMARC record is only a small piece of the email authentication journey.
Domain owners must ensure that all cloud-based services that send email are duly authorized. They need to ensure that the DMARC and SPF records are all correctly configured. And then they need to switch their DMARC policy to enforcement (a “reject” or “quarantine” policy) if they wish to realize the standard’s anti-impersonation benefits.
To date, most companies that attempt DMARC do not complete the journey. The enforcement failure rate — the percentage of companies that deploy a DMARC record but don’t get to enforcement — hovers around 80 percent for almost every category of company we have studied, as the above chart shows.
While that number has decreased slightly over the past few quarters in a few categories (reflecting incremental improvements at getting to enforcement), the failure rate has remained fairly stable over the past three quarters.
But why does this matter? Glad you asked.
Introducing the fraud protection rate
Publishing a DMARC record in monitoring mode only does nothing to protect a domain from being impersonated (spoofed).
Yet that’s just what many companies are doing. While the number of companies deploying DMARC records has more than tripled in the past year, the actual rate of fraud protection remains low.
That’s why we’re introducing the Fraud Protection Rate, as a measure of any given category’s success in using DMARC (and other email authentication standards) to actually inoculate itself against impersonation, aka email fraud.
To find the FPR for any given category, multiply its DMARC usage rate by its enforcement success rate (the inverse of failure rate).
In other words, the FPR is the percentage of companies in a given cohort that are protected from fake email by DMARC records that are syntactically and technically valid, and which have been set to an enforcement policy.
Here’s what we’ve found:
Category | FPR |
Billion-dollar public companies (n=4,393) | 3.5% |
Crunchbase unicorns (n=317) | 12.3% |
Fortune 500 (n=500) | 8.6% |
Global media companies (n=610) | 3.1% |
NASDAQ (n=1,689) | 3.3% |
NYSE (n=1,389) | 5.1% |
U.S. banks (n=138) | 11.6% |
U.S. federal government (n=1,315) | 42.9% |
U.S. health care (n=216) | 5.6% |
U.S. tech (n=86) | 15.1% |
U.S. utilities (n=105) | 5.7% |
As you can see, the FPR is in single digits for most industry categories, reflecting the fact that most companies either haven’t yet deployed email authentication, or haven’t succeeded in configuring it completely to a policy of enforcement.
Which Categories Are Ahead?
There are a few standouts.
Thanks to its high rate of DMARC deployment and high success rate, the U.S. federal government again shows leadership here, with a fraud protection rate of nearly 43 percent as of August, 2018 (that number continues to rise, by the way, and we’ll have updated numbers on the federal government very soon).
That is a remarkably high figure, and the CIOs and CISOs responsible for this progress deserve congratulations for the progress they have made. There is still a ways to go, of course, as 57 percent of federal domains remain open to impersonation by fake emails.
Other groups showing good numbers are large U.S. tech companies, Crunchbase unicorns, and large U.S. banks: All have greater than 10 percent fraud protection.
There is also cause for optimism among U.S. utilities and U.S. health care companies: Their fraud protection rates have been steadily improving for three quarters.
Why This Matters
Email authentication adoption continues to grow, as companies, governments, and nonprofit organizations around the world recognize the importance of stopping impersonation of their domains.
Since impersonation is the primary vehicle through which phishers target and exploit organizations, this growth is a welcome sign of a fundamental secular change in the way email works.
However, email authentication remains challenging for many organizations. Even among those that implement it, most still find it difficult to get their configurations correct, complete the authentication of every service that needs to be authenticated, and move to an enforcement policy.
For companies and other organizations to truly achieve the benefits of authentication, they need to surmount those hurdles. That’s where automated email authentication plays a crucial role.
Want to know more about automated email authentication? Read our free ebook.
Secure Email Gateways and email authentication: Why you need both (infographic)
Many companies already use a Secure Email Gateway (SEG) as a bulwark against the ever-increasing waves of email-based phishing and malware attacks. So if you’ve got an SEG already, why would you need to add email…
How to implement multifactor authentication across multiple environments in AWS
As an email authentication company, we maintain the highest security standards, and maintaining a bulletproof infrastructure is extremely important. One of our most important requirements is multifactor authentication (MFA). Among many other requirements, our MFA implementation…
$12.5 billion: The cost of email impersonation (and that’s just the tip of the iceberg)
Email impersonation is in the news again. On Friday, the news hit that the Department of Justice had indicted 12 Russians on counts of attempting to interfere with the 2016 election in the U.S. At…
How DMARC can facilitate GDPR compliance
By now, you’ve undoubtedly read a lot of stories about how one technology or another is going to provide a magic solution for compliance with GDPR, the European privacy law that went into effect May…
With $25M funding round, Valimail is ready to authenticate the world’s communications
It feels like only yesterday my co-founder Peter and I started the journey that has led us to our latest milestone: a $25M Series B expansion round that will accelerate our global growth and expand our portfolio of…
Introducing the Valimail platform
Get ready for the next generation of email authentication. Today, we are announcing the Valimail Identity-Driven Email Anti-impersonation (IDEA)™ platform. This is a modular platform designed for robustness, global availability, four nines of reliability, and extensibility….
U.S. senators remain vulnerable to email fraud
Trend Micro has found evidence that a Russian hacking group is attempting to break into the U.S. Senate’s email systems, Newsweek reported last week. Here’s the thing: Hackers don’t even need to hack into the…
Why credit companies and the IRS won’t send you email
Love it or hate it, email is the most ubiquitous channel for communication ever invented (apart from the telephone), reaching half of the humans on the planet today. Yet many companies and government agencies will…
Mailsploit is “virtually unstoppable”? Not even close
News stories are popping up about Mailsploit, a supposed email spoofing technique that is “virtually unstoppable,” according to its creator. In particular, reporters are homing in on the creator’s claim that it “fools DMARC.” This…
76 percent of inboxes worldwide now enforce email authentication — if senders enable it
Note: This post is being jointly published by the Global Cyber Alliance and Valimail. Support for email authentication among the world’s ISPs has surged significantly in the past two years, new data shows. Email authentication, if enabled by…
Banks want to help you send money. So do phishers
A group of U.S. banks are starting to offer a service called Zelle that lets you send money to your friends using their email address or mobile number, easily, fast and free. Consumers can use…
The FBI makes DMARC enforcement part of law enforcement
The U.S. Federal Bureau of Investigation has something to be proud of: As of last month, it’s no longer possible for hackers to impersonate the agency with emails that appear to come from the FBI….
Why it’s so easy to fool White House officials with fake emails
It just keeps happening. A prankster who over the past few months tricked the heads of several major banks into thinking that they were having email conversations with their colleagues has struck again, this time targeting members of…