Man Bites Dog? Federal Government Leads in DMARC Adoption

It’s not every day you see clear evidence that the government is leading a technology sector.

But that’s exactly what’s happening with email anti-impersonation technology through DMARC.

The latest figures from Valimail’s Q1 Email Fraud Landscape include one particularly remarkable fact: The U.S. federal government leads the private sector in the use of anti-impersonation technologies for email, also known as email authentication. It’s not just a small lead, either: 70 percent of federal domains are currently using DMARC.

bar chart showing DMARC usage rates by industry, with US federal government leading at 70%

The next closest sectors are large U.S. tech companies, at just over 50 percent, and the Fortune 500, at just over 40 percent.

That’s not even a horse race. It’s a blowout. And when you consider how far the federal government has come in six months, it’s even more impressive. In October, just 20 percent of federal domains had DMARC records.

The growth clearly shows that a mandate like BOD 18-01 (which required federal agencies to deploy DMARC records) is effective at spurring change.

DMARC Support Among Mail Receivers

Other findings in our report: For the first time, more than 5 billion mailboxes worldwide support DMARC for inbound email messages. That’s 75 percent of the total number of mailboxes. In other words, if domain owners have set a DMARC policy, the vast majority of mailboxes will enforce it.

Three pie charts showing how DMARC support has grown from 2015 to 2017

The number of suspicious and fraudulent messages remains high. Valimail estimates that 14 billion fraudulent email messages are sent every single day.

Since these impersonation messages are among the most difficult to track and to stop, this fact underscores the pressing need for email authentication as a supplement to traditional email security measures, such as secure email gateways (SEGs) and anti-phishing training.

DMARC Enforcement Remains a Challenge

We also found that most companies continue to fail in their DMARC enforcement. In most industries, the failure rate (the percentage of companies who deploy DMARC records but don’t succeed at configuring it to an enforcement policy that protects them from impersonation) hovers between 70 percent and 80 percent.

There are other juicy tidbits in our study, including the countries that are the biggest sources of fraudulent/suspicious email and the countries that are doing best (and worst) when it comes to using DMARC.

It’s all based on exclusive research conducted by Valimail using our own proprietary data, DNS analysis, and other sources.

The report is free — download it today!

And click through for the press release on our Q1 Trends Report.


Dylan Tweney is the head of communications for Valimail.