DMARC usage grows 2.5X in two years, as organizations embrace the need to protect their domains from phishing and BEC
SAN FRANCISCO, July 14, 2020 – Valimail, the leading provider of zero-trust identity-based anti-phishing solutions, today released findings from its Email Fraud Landscape: Summer 2020 Report. Now in its fourth year, this research analyzes trends in the adoption of Domain-based Message Authentication, Reporting and Conformance (DMARC), a vendor-neutral authentication protocol that allows email domain owners to protect their domain from unauthorized use, or “spoofing.”
For the first time, the number of domains deploying DMARC records has surpassed 1 million — 2.5 times greater than the total in 2018.
DMARC is widely supported, with 80% of all inboxes worldwide doing DMARC checks and enforcing domain owners’ policies on every single inbound message — if the senders of those messages have configured DMARC for their domains. It is also widely recommended: The U.S. Department of Homeland Security mandates DMARC for federal agencies, the U.S. Federal Trade Commission recommends it for companies, and the Mobile, Messaging, and Malware Anti-Abuse Working Group (M3AAWG), which is the leading industry organization devoted to stopping phishing, spam, and email abuse, calls it a “crucial” tool in the fight against COVID-19-related phishing attacks.
Valimail’s report finds that only 13.9% of all DMARC records are configured with enforcement policies that reject or quarantine non-authenticating email. This rate is higher among large organizations, however: 30% of the Fortune 500 domains using DMARC are using enforcement policies, for example. The rate of enforcement has been steadily rising in most industries, Valimail’s research has consistently found.
“The benefits of email authentication are clear, which is why it’s so encouraging to see so many domains adopting the DMARC standard,” said Alexander García-Tobar, CEO and co-founder, Valimail. “Now they will need to get to enforcement — the point at which they’re actually protected from being spoofed by bad actors. But it’s not just about self interest: DMARC with enforcement is increasingly mandated by a variety of organizations and standards, such as BIMI, because it is such a strong, reliable signal of domain identity. Authentication with enforcement will be even more critical in the coming months as the world begins to adopt a zero-trust approach to email security.”
Additional key findings from Valimail’s research include:
- 79% of Fortune 500 domains can still be spoofed, because they either have no DMARC, are using DMARC in “monitor mode,” or have other DMARC configuration problems
- 86% of global companies with $1B or more in revenues can be spoofed
- On the positive side, 75% of U.S. federal domains are protected from spoofing by DMARC enforcement (whitehouse.gov, however, is not one of them)
- 60% of utility domains now have DMARC records. However, because enforcement rates remain low, these parts of our critical infrastructure are unprotected from domain spoofing: Only 8% of all utilities have achieved DMARC enforcement.
The research was compiled by analyzing a broad cross-section of company sizes and revenues across eight different verticals.