Among Tech Companies, DMARC and Revenue Are Positively Correlated

hand with a marker drawing a chart line curving up and to the right

As part of our regular series of research reports on the state of email fraud, Valimail recently conducted an analysis focused on the tech industry.

What we found: Large tech companies are moving more quickly than most to protect themselves by using state-of-the-art email authentication. But there is room for improvement.

Most intriguing: There is a positive correlation between DMARC status and revenue. Companies with DMARC records have, on average, significantly higher revenue than those without DMARC. Those with DMARC records at enforcement have higher revenue than those at p=none, and they have twice the revenue of those with no DMARC records at all.

Is this a sign that you can double your company’s revenue by adding DMARC and getting to enforcement? Of course not — we’re not the kind of company that would make ridiculous promises like that. Correlation is not causation and all that.

It’s more likely that bigger companies have bigger brands to protect, and are therefore more likely to prioritize protecting those brands from spoofing.

XKCD cartoon on correlation
Image credit: XKCD

Anti-Phishing in the Tech Industry

While phishing accounts for 90 percent of all cyberattacks (or even more), the majority of phish depend on the ease with which attackers can impersonate trusted senders. Eliminate the impersonation capability, and you force phishing attacks to use other, more easily detected means.

One key component to stopping phish through blocking impersonation is email authentication with the DMARC standard.

In general, large tech companies are beginning to implement email authentication with DMARC at above-average rates — about half of the 525 large tech companies we examined have begun to use DMARC in some form or another.

But the majority of those that have embarked on an email authentication project have not completed their journeys. Only 10 percent, or 53 companies, have configured DMARC correctly and in a way that protects them from being spoofed (with an enforcement policy of p=quarantine or p=reject).

As a result, the other 90 percent of large tech companies remain unprotected from impersonation. They — and their customers and partners — are still at risk for phishing attacks that leverage their good names to try and win trust under false pretenses.

Our report, Tech Companies Make Progress in Anti-Phishing Protection, is available now as a free download from the Valimail website.

Key Findings: DMARC Enforcement in Tech

chart showing DMARC status for tech industry companies

Some of the highlights from the report:

  • 49 percent of large global technology companies have DMARC records of some kind, indicating that they have, at minimum, begun to deploy this anti-phishing technology
  • 19 domains (3.6 percent of the total) have DMARC records that are incorrectly configured
  • 183 domains (35 percent of the total) have DMARC records that are correctly configured, but have not been set to a policy that will actually stop phishing via spoofed From addresses
  • 55 domains (10.5 percent) had DMARC records that were correctly configured and set to a policy that will stop phishing/spoofing (aka enforcement)
  • DMARC is positively correlated with revenue: The companies with DMARC enforcement had an average revenue more than twice that of the companies with no DMARC records at all ($10.2 billion vs. $5 billion)

In short, when it comes to protecting themselves against spoofing, tech companies are smarter than the average bear.

(But they’re still not as advanced as, say, the U.S. federal government, which has protected 80% of its domains, according to Valimail’s previously published Q4 Email Fraud Landscape.)

Find out more by downloading the full tech industry report.

And if you’re wondering about a specific tech company, use Valimail’s DMARC and SPF domain checker to find out if its domain can be spoofed or not.

Just enter the domain you’re curious about into our checker and we’ll tell you the details of how DMARC and SPF are configured for that domain.

Dylan Tweney is the VP of research and communications for Valimail. Formerly, Dylan was the founder of Tweney Media, a content-driven communications agency, whose clients included Samsung, Korn Ferry International, Upwork, YL Ventures, Bloomberg Beta, and Valimail.

Previous to that, he was the editor-in-chief of VentureBeat (2011-2015) and a senior editor at Wired (2007-2011).