More and more domains are adopting DMARC, the most modern and effective standard for authenticating email. That’s great news in the war against phishing and spam.
Unfortunately, Valimail has found in our just-published global industry analysis, the failure rate for DMARC implementers is still way too high — around 75 percent of those organizations that attempt it, to be exact.
Email authentication can help protect organizations against phishing, spear phishing, and business email compromise by ensuring that only approved senders can use the organization’s domain name in their email “From” fields. Since a huge number of cyberattacks start with phishing emails, enabling email authentication helps improve an organization’s security posture. It protects against brand dilution from impersonators who send email pretending to be from that organization. And it also gives IT administrators much more information about (and control over) which email services are being used throughout their company, helping them control “shadow IT” deployments of cloud services.
Valimail examined the domains for more than 1 million companies and government organizations, including the NASDAQ 100, S&P 500, Fortune 1000, FTSE 100, and the 1 million most trafficked websites according to Alexa.
We found that the majority are not making use of the available open standards for email authentication, including DMARC, SPF, and DKIM. Unsurprisingly, the odds that a company is using authentication is greatest for the largest companies: 43 percent of the NASDAQ 100 have attempted authentication, with declining percentages as we looked at larger and larger groups, all the way down to a measly 2.3 percent of the Alexa 1 million sites.
That’s not to say there hasn’t been progress. It is interesting to compare our results to the latest data on DMARC adoption from DMARC.org, whose Farsight dataset shows a marked increase in usage of the email standard over the past five years.
In terms of growth rate, the number of domains using DMARC has grown by approximately 10–20 percent every month since 2014, according to DMARC.org. A steady growth rate translates into an exponential curve of total domains currently using the standard, which now numbers over 60,000, the organization’s chart shows.
DMARC.org notes that this is not internet-wide data, so the actual number of DMARC-using domains is undoubtedly higher. However, they’re confident that the dataset reflects the internet at large accurately.
Unfortunately, of those companies that are using DMARC, most have not actually set it up so that inauthentic emails are rejected or put into spam folders. And the success rate of those who attempted authentication is about even across the board, regardless of organization size.
In Valimail’s study, we found that failure rates ran from 62 percent to 80 percent, with most of the companies we measured clustering around 75 percent.
The vast majority of those failures are due to organizations that have a correctly configured DMARC record, but had set it to monitoring mode only (aka p=none), thus eliminating the enforcement of the record’s provisions. As a result, unauthenticated email continues to be delivered to recipients all over the internet.
Setting up a DMARC record in p=none monitoring mode is a reasonable initial step, but when three quarters of those that use DMARC have not progressed beyond this step, something is wrong.
One reason companies may be reluctant to move to enforcement is the complexity of the DMARC standard, combined with the mission-critical nature of email. One mistake in the a company’s DNS record for DMARC could have a major impact to email deliverability, with massive consequences for corporate communications and even revenue.
Also, built-in limitations to DMARC, such as the 10-lookup limit within SPF(one of DMARC’s component standards) are difficult to reconcile with the large number of senders that most domain name owners need to authorize.
Valimail was built to solve these problems. We simplify management of DMARC records and provide a clever, standards-compliant way to work around the SPF domain lookup limit, making DMARC much more flexible and compatible with modern email requirements. To find out more, contact us for a free demo.