Which industries are doing best at email security? (research part 2)
The majority of the 933,000 domains with DMARC are owned by small companies, small nonprofits, or individuals. Perhaps companies with large IT budgets can do better at deploying DMARC and getting to enforcement?
The answer: A little bit — but it depends on the industry. Among billion-dollar publicly traded companies (globally), almost 52% of these companies’ primary domains have DMARC records. But of those with DMARC, only 23% are at enforcement — significantly better than the global average of 13%, but not an order of magnitude better.
Other industries have similar or slightly better rates of success at getting to enforcement: Global banks and financial services companies 33%, Fortune 500 companies 28%, global tech companies 24%, and global media companies 22%. Somewhat lower on the scale are U.S. healthcare providers with 18% and U.S. utilities with 13%. (Note: all categories included only $1B+ revenue companies, except for media companies, which were limited to $500M+ revenues.)
The only standout category is the set of U.S. federal government domains, of which 79% have DMARC records. Of those DMARC records, 93% are at enforcement. These are remarkably high figures — a tribute to the success of a 2017 directive from the Department of Homeland Security, BOD 18-01, which mandated DMARC at enforcement for most executive branch domains by January 2018. At the time, fewer than 20% of government domains had DMARC and almost none were at enforcement. Although the mandate was unfunded, several things about it favored success: It was clearly worded, included specific guidance for agencies to follow, and was coupled with tools that agencies could use to check their status and interpret DMARC data.
Despite the fact that almost no industry has a better than 25% success rate in getting DMARC records to enforcement, some industries are doing better at protecting themselves, simply because they have a larger proportion of domains attempting DMARC.
For instance, 67% of Fortune 500 companies have deployed DMARC, and about a quarter of those are at enforcement. This means that almost 20% of the Fortune 500 are now protected from impersonation by DMARC at enforcement. Global tech companies have taken a similarly aggressive approach to DMARC deployment, so 15% of these domains are protected.
But global media companies lag: Only 43% of this category has a DMARC record, and with a success rate of 22%, this means that just 10% of this category’s domains are protected.
This post is part 2 in a 3-part series highlighting Valimail’s latest research. Download the full report for free: Winter 2020 Email Fraud Landscape: Domain spoofing declines as protective measures grow.