Just 17% of domains with DMARC are actually protected. Here’s why
DMARC (Domain-based Message Authentication, Reporting & Conformance) usage continues to grow. About 80% of all email inboxes worldwide support DMARC, according to Valimail’s latest research report.
Based on Valimail’s real-time DNS analysis of tens of millions of domains globally, as of July 2019, more than 784,000 domains use DMARC — more than twice as many as were using it at this time last year.
So why is it still so difficult for companies to get to DMARC enforcement — the point at which they’re actually protecting their identities from impersonation?
This growth in domains with DMARC reflects a growing understanding that it’s way too easy for phishers and other miscreants to impersonate unprotected domains with bogus emails. The fact that so many large email operators (Gmail, Yahoo! Mail, Microsoft, and others) support DMARC is a huge validation of the standard and its potential. It shows that there’s broad commitment across the ecosystem for this standard.
And, if you deploy DMARC on your domain, you can be sure that the vast majority of inboxes worldwide will validate any email that appears to come from your domain and apply the authentication policy you specify. In short, the ball is now squarely in domain owners’ courts: Are they going to protect themselves or not?
The DMARC enforcement gap
When we look at the 784,000 domains that have DMARC, we find that only about 131,000, or 17%, are actually at enforcement.
Enforcement = a correctly configured DMARC policy that keeps spoofed emails out of recipients’ inboxes (p=quarantine or p=reject, in DMARC terminology).
Another 91,000, or 12%, have policies of quarantine or reject, but they are incorrectly configured, due to syntax errors, problems with the underlying SPF records, or other glitches that either invalidate the DMARC record, undercut its effectiveness, or limit the domain owner’s visibility into what DMARC is actually doing. These domains are not at enforcement because authentication will not work as expected: Spoofed messages may still be delivered and legitimate messages may get blocked.
The majority — 562,000 domains, or about 71% — have been set to a policy of “none” (a DMARC setting of p=none), which directs receiving inboxes to do nothing special with messages that fail authentication. In other words, these domains are telling mail receivers to treat unauthorized messages exactly the same as legitimate email, and deliver them straight to recipients’ inboxes.
We see a similar pattern among large companies in almost every sector. While the rates of DMARC enforcement are a little higher among large companies, and those rates have been rising (see chart below) most sectors don’t exceed 20% enforcement rates by much. A 30% enforcement rate, as we see among Crunchbase unicorns and the largest U.S. banks, is noteworthy, but only the U.S. federal government has anything like a respectable number (91% enforcement), thanks to a 2017 DHS mandate requiring executive branch agencies to deploy DMARC with a p=reject policy for all .gov domains.
This is an indication that there’s a serious implementation hangup in the email authentication world. Imagine that only 70% of people installed locks on their front doors, and only 20% of them were actually locked. It wouldn’t make sense. But that’s exactly the situation that we see in the DMARC world.
Why so many domains can’t get to enforcement
What’s the hangup? In a few words, implementation and maintenance complexity.
DMARC looks simple on the surface, but implementing it correctly requires configuring SPF and DKIM records correctly as well.
Crucially, in order for it all to work properly, domain owners need to ensure that every legitimate service that the organization wants to use for sending email is properly authorized, with the appropriate SPF and DKIM settings.
If you’re not authorizing all the legitimate services, when you switch DMARC to an enforcement policy, you will wind up rejecting or quarantining some legitimate email. And that’s the point at which email administrators start to get very, very nervous. Accidentally shutting down a crucial cloud service used by the business development department while it’s in the middle of a time-sensitive M&A negotiation could have disastrous effects on the company’s future.
Add to this the fact that DMARC, SPF, and DKIM are all implemented through text-based DNS records with ticklish syntax, and you can see why companies have been slow to move from “testing the waters” to “all in with email authentication.”
For more information on how to move to enforcement successfully, see the following free resources:
- Operationalizing Email Authentication: A Systematic Approach to Email Authentication [White paper]
- Understanding DMARC Alignment: How to Stop Email Impersonation Attacks [White paper]
- So you’ve started a DMARC record… now what? [Ebook]
- Is your email authentication technology REALLY automated? [Ebook]
And to find out how the Valimail Platform simplifies and automates the DMARC process — making it so you can achieve enforcement in 4 months with about 0.2 FTE of staff time — check out Valimail Enforce.