Valimail’s second annual report on the state of the email authentication ecosystem is out, and it makes the picture crystal clear: There’s an enormous global infrastructure ready and waiting to authenticate emails, but domain owners are for the most part missing the opportunity to use that infrastructure.
We found that among the top 1 million domains, 96.4 percent still have not published DMARC records — despite the fact that the overwhelming majority of email inboxes support it. These domains are not using a valuable, accessible tool for protecting themselves against fraud and phishing. This is the DMARC adoption gap.
Furthermore, 77 percent of domains that do publish a DMARC record do not get to enforcement — a rate comparable to what we found when we first analyzed the top million domains in November 2016. They leave their DMARC policy in a monitoring-only mode, and thus fail to actually lock down their email domains to stop impersonation attacks and protect their brands. This is the DMARC enforcement gap.
Closing these gaps will be key to the transformation of the email ecosystem. We already have a critical mass of email receivers that will implement and enforce DMARC policies if domain owners publish one. According to Great Horn, companies that publish and enforce DMARC see a 77 percent reduction in email threats.
Once we reach a critical mass of domain owners, email will move from being unauthenticated by default to being authenticated by default.
Widespread use of email authentication will enable receivers to reject (or quarantine to spam folders) all email that lacks authentication. The internet will then achieve herd immunity from email impersonation — and people will be able to place renewed confidence in the contents of their inboxes.
The potential payoff is huge. Eliminating email impersonation threats could save the average company $8.1 million annually, based on Great Horn’s estimate of DMARC effectiveness and Accenture’s analysis of average annual cybercrime costs.
Across the Fortune 2000, that would amount to an annual savings of $16.2 billion.
Key findings from our 2017 Email Fraud Landscape:
- One in five messages sent today is suspicious (i.e. it appears to come from a domain that has not authorized the sender).
- 0.5% of the top million domains are protected from impersonation by email authentication.
- 77% of domains that have deployed DMARC records remain unprotected from fraud, either through misconfiguration or by setting a permissive DMARC policy.
- 15-25% of companies that attempt DMARC succeed at achieving protection from fraud, depending on category.
- 76% of the world’s email inboxes support DMARC and will enforce domain owners’ authentication policies, if such policies exist.
- Implementing email authentication would save the average company $8.1 million per year in cybercrime costs — $16.2 billion annually across the Fortune 2000.
To see more, including authentication rates for the Fortune 500, Fortune Global 500, NASDAQ, NYSE, and many other categories, download the full, 21-page report for free.