Despite Accelerating Adoption of DMARC, Less Than 10% of Enterprise Domains are Protected from Email Impersonation, Valimail Research Finds

Summer 2019 Email Fraud Landscape Reports reveals only one in five enterprise DMARC records are at enforcement, giving rise to explosive growth in BEC attacks

SAN FRANCISCO – October 8, 2019 – Valimail, the leading provider of identity-based anti-phishing solutions, today released its Summer 2019 Email Fraud Landscape Report, shedding light on the identity crisis of worldwide Internet email and the steps being taken to protect email against impersonation. The original research analyzes the adoption rate of Domain-based Message Authentication, Reporting and Conformance (DMARC), a vendor-neutral authentication protocol that allows email domain owners to protect their domain from unauthorized use, or “spoofing.”

Valimail found that 850,000 domains worldwide now have DMARC records, a 5x increase since 2016. However, less than 17% of global DMARC records are at enforcement — meaning fake emails that appear to come from those domains are still arriving in recipients’ inboxes. Among large companies, only one in five enterprise DMARC records is at enforcement, a significant factor in the wild success of business email compromise (BEC) attacks, which has produced more than $26 billion in losses in the past three years.

“The identity crisis of email has never been more apparent,” said Alexander García-Tobar, CEO and co-founder of Valimail. “Phishing is implicated in more than 90% of all cyberattacks, and the vast majority of phishing emails leverage impersonation. This is only possible due to email’s lack of robust sender identity validation. The sharp rise in DMARC records worldwide is promising, but the low rate of enforcement indicates there is a long way to go in establishing real trust in one of the world’s most common forms of communication.”

According to the research findings, less than half of large U.S. tech companies’ DMARC records are at enforcement, and in most industry categories, fewer than 10% of enterprise domains are protected from impersonation. The U.S. government, which traditionally lags behind the private sector when it comes to security readiness, has achieved an impressive 93% of DMARC records at enforcement. This is up slightly from 91% since Valimail’s last research report, an indication that the government sector is proactively tackling the problem with email identity.

This research was compiled by analyzing tens of millions of publicly accessible records as well as aggregate data from billions of authentication requests.