Valimail Research Finds Domains Without DMARC Enforcement Are Spoofed at Nearly Four Times the Rate of Domains with DMARC Enforcement

DMARC records saw 70% growth in the past year, reaching nearly one million domains globally

San Francisco, March 4, 2020 – Valimail, the leading provider of identity-based anti-phishing solutions, today released findings from its Email Fraud Landscape: Winter 2020 Report. The research analyzes trends in fraudulent email as well as the adoption of Domain-based Message Authentication, Reporting and Conformance (DMARC), a vendor-neutral authentication protocol that allows email domain owners to protect their domain from unauthorized use, or “spoofing.”

As of January 2020, nearly 1 million (933,973) domains have published DMARC records — an increase of 70% compared to last year, and more than 180% growth in the last two years. In addition, 80% of all inboxes worldwide do DMARC checks and enforce domain owners’ policies — if domain owners have configured DMARC.

However, just 13% of all DMARC records are configured with enforcement policies, demonstrating that interest in DMARC is increasing but DMARC expertise is not keeping pace.

“Given DMARC’s benefits, it comes at no surprise its rate of adoption has been growing consistently,” said Alexander García-Tobar, CEO and co-founder, Valimail. “But publishing a DMARC record is just the first step — enforcement must be reached before a domain is protected, and trust can be restored to email. There’s an additional downside to not getting to enforcement: Our research demonstrates that domains without DMARC policies at enforcement are spoofed nearly four times more often compared to domains with DMARC at enforcement. This is because fraudsters give up trying to spoof a domain once they realize it doesn’t work, and move on to easier targets.”

Additional key data points from Valimail’s research includes:

  • At a minimum, 1% of global email volume is sent using a spoofed domain.
  • The United States remains the largest source of spoofed email by volume.
  • Russia, China, Vietnam and India continue to have a proportionally high number of spoofs among email originating from these countries.
  • 79% of US federal domains have DMARC records and 93% of those are at enforcement, a tribute to the the success of a 2017 directive from the Department of Homeland Security, BOD 18-01.
  • 23% of billion-dollar companies’ domains are at DMARC enforcement.

The research was compiled by analyzing a broad cross-section of company sizes and revenues across eight different verticals.