Global adoption of Domain-based Messaging, Reporting & Conformance (DMARC) topped 10.7 million email domains worldwide in 2020—reflecting a 32% increase in just six months, according to our H1 2021 Email Fraud & Identity Trends Report.
The total number of domains with DMARC set to its highest level of protection against email spoofing climbed to 3.8 million during the same period. That's up a staggering 87% from June 2020.
But don't break out the champagne just yet. While any rise in DMARC adoption is welcome, these figures represent just a tiny fraction of the half-billion domains our researchers scanned as part of the twice-yearly study.
During a six-month period that saw US business walloped by nearly 6 billion malicious emails spoofing corporate domains in healthcare, technology, and other sectors, DMARC adoption among Fortune 500 companies was a good news-bad news situation at best.
Fortune 500: DMARC Adoption Amid Pandemic
First the good news. The percentage of Fortune 500 companies with domains protected by DMARC at its highest enforcement level reached 24% by the end of December. That's up 20% from mid-year.
But it still means 76% of the nation's most prominent companies remain vulnerable to being impersonated in phishing attacks targeting their customers, partners, and the general public.
Maybe it got put on the backburner because of everything else 2020 threw our way. But with 57% of US employees working from home and hamstrung by housebound children, frustrating vaccine rollouts, and countless other distractions, email threat actors appear to have found plentiful targets for socially-engineered phishing attacks.
Sometimes these fraudsters seek to scam businesses and consumers out of money through fraudulent invoices or payment scams. In others, it's to pilfer credentials to gain the toehold they need to wreak havoc. In addition to nearly $700 million in direct financial losses each month since 2016, advanced email threats like the kind in the Solar Winds case suggest the price tag could go much (much) higher.
Businesses that get impersonated in such attacks can face lost business and even lawsuits. Recent case law has found the party most able to prevent a cyberattack from happening can be liable for the losses that stem from them. Factor in strict new regulations and the losses can add up quick.
Thankfully, there is an answer in DMARC.
Burden of Spoofs: Defending Against Brand Imposters
First introduced in 2012, DMARC gives brands control over who is allowed to send emails on their behalf.
It does this by enabling email providers to recognize when an email isn't coming from a specific brand's approved domains, and gives the brand the ability to tell receiving systems what to do with these unauthorized email messages. DMARC's most aggressive enforcement policy is reject (p=reject), which means email messages that don't pass authentication will be blocked from reaching their intended recipients.
So why such low adoption rates? While deploying DMARC on a single domain is relatively simple, implementing it across an enterprise's total universe of domains—which can span dozens of internal departments and external email distribution partners—can get very complicated, very fast.
But according to a study from Forrester Research, DMARC deployments using automated implementation tools like those from Agari have been shown to drive phishing-based brand impersonation scams to near zero almost instantly. Today, customers in numerous categories use Agari DMARC Protection to manage nearly 257,000 domains with 81% at p=reject—far outperforming their industry peers.
Gartner: DMARC is a Top Priority for 2021
There are a couple other important reasons why DMARC implementation should top corporate agendas this year. When companies are impersonated, even their own legitimate email marketing programs can be rendered radioactive to consumers.
At a time when email returns $40 for every $1 spent, email remains the most important digital channel you have. It's also the single most important source of identity verification when your customers transact with you online. But when users struggle to distinguish real messages from fakes, your online sales can tank.
By comparison, Forrester estimates DMARC deployment can boost email conversion rates as much as 10%, perhaps because the fraudsters seeking to impersonate your brand never hit your customers' radar (or their inboxes). Which may also help explain why Gartner ranks DMARC as a top priority to every organization in 2021. With Q1 already coming to an end, the clock is ticking.
To learn more about recent trends in DMARC adoption, download the H1 2021 Email Fraud & Identity Deception Trends Report.