Agari Global DMARC Adoption Report

Based on Agari research of public DNS records, 92 percent of all Fortune 500 companies have left their customers and business partners unprotected from phishing and other forms of email attacks that impersonate their corporate email domain. A similar pattern has emerged around the world with the FTSE 100 and the ASX 100. Cybercriminals exploit this vulnerability by sending billions of emails per year claiming to be from these companies.

The Agari Global DMARC Adoption Report examines the growing threat of phishing amid slow adoption of DMARC, and includes the results of our analysis of the DMARC policies of the corporate domains of the Fortune 500, FTSE 100 and ASX 100.

DMARC ADOPTION ANALYSIS Phishing has become a pervasive threat in the United States and around the world. The impact of these threats has been felt by both businesses and government, alike. If organizations implement DMARC, they could protect against these attacks; yet more than two-thirds have not implemented any DMARC policy and more than 90 percent remain vulnerable to impersonation of their corporate email domains. The cybercriminals have responded by ramping up phishing activity to take advantage of this vulnerability. Between October 2014 and June 2016, the number of new, unique phishing sites has increased by more than 1000 percent.

More than 90 percent of the Fortune 500 are vulnerable to digital deception, leaving their customers, employees and brand name exposed to a fraud. The Fortune 500 are the largest, most well-known and most trusted companies in America. Unfortunately, DMARC adoption is dangerously low within the Fortune 500, enabling malicious actors to abuse that trust and leaving corporations unprepared to prevent it.

More than two-thirds of the Fortune 500 (337 companies) do not have a DMARC record on their corporate domain. Of the remaining third, 124 companies have a Monitor (None) policy, which monitors for DMARC abuse, but does not prevent it. Fewer than 10 percent of the Fortune 500 have deployed a DMARC policy to prevent digital deception; 15 companies (three percent) have a Quarantine policy and 24 companies (five percent) have a Reject policy.

Interestingly, only four industry sectors have achieved a majority adoption rate: business services (60 percent), financials (57 percent), technology (55 percent) and transportation (53 percent). The full list of DMARC adoption by industry sector follows along with a persector percentage breakdown.