Email Security Blog

DMARC Adoption Worldwide Slows with Australia’s ASX 100 Remaining Most Vulnerable

Fareed Bukhari June 13, 2019 DMARC

DMARC adoption rose a tepid 1% in the first quarter of the year, with the rate of growth slowing compared to the last three months of 2018, according to our latest report on email security trends. That said, nearly 90% of Fortune 500 businesses remain unprotected against email-based impersonation attacks targeting their customers, partners, and other businesses. But Australian companies lead their peers around the world in putting the public at risk.

The Q2 2019 Email Fraud and Identity Deception Report from the Agari Cyber Intelligence Division (ACID) identified 6.75 million domains with valid DMARC records out of the 328 million domains examined from January 1 through March 31. The quarterly reports from ACID represent the industry’s largest ongoing study of DMARC adoption worldwide.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an open standard email authentication protocol that helps businesses prevent cybercriminal organizations from spoofing or hijacking their domains in order to launch email scams designed to defraud consumers and businesses. According to reports in TechRepublic, Microsoft, PayPal, Bank of America, Dropbox and others may have discovered in just dangerous brand impersonations can be in the last few months.

Last year, email-based brand impersonation scams surged 250 percent. According to the FBI, the price tag for US-based businesses topped $2.7 billion. Consumers in the United States lose an average $1.4 billion per year through these and other forms of Internet fraud.

This quarter’s report marks the first to include DMARC implementation by region. On that score, it may serve as a wake-up call for some of the world’s largest companies.

The US and Germany Lead in DMARC

DMARC gives brands control over who is allowed to send emails on their behalf. Among other things, it enables email receiver systems to recognize when an email isn’t coming from a specific brand’s approved domains and gives the brand the ability to tell the email receiver systems what to do with those unauthenticated email messages.

Failure to implement DMARC at the top, p=reject enforcement setting results in an easily identifiable vulnerability. Cybercriminals often spoof domains in order to send large volumes of phishing attacks targeting the domain owner’s customers and partners, and the ripple effect can be significant. The domain may suffer reputational damage, resulting in being blacklisted by some receiver infrastructures. Or it may experience reduced deliverability rates for legitimate email, hurting important digital revenue streams.

According to our analysis, Germany leads all survey geographies in registered domains with established DMARC records, accounting for nearly a sixth of the world’s DMARC records overall, with the highest number of domains with country codes. Predictably, given the total volume, Germany also ranks highest in established DMARC records at the default, monitor-only setting, which unfortunately does nothing to stop illegitimate emails from being delivered to inboxes.

Data for the United States paints a different picture. While it ranks a distant second in the total number of country-coded domains assigned DMARC records, it is number one in the number of DMARC records with an established p=reject enforcement policy, making it the leader in domains that are truly protecting against impersonation.

It’s easy to see why. According to industry studies, the US is the single-most heavily targeted nation by cybercriminals. But this relative leadership in enforcement policies may reflect more on the rest of the world than it does on the readiness of US business as a whole. It’s just that things get worse from there.

Fortune 500 Making (Slow) Progress—But Dangers Persist

During the first quarter of the year, DMARC adoption remained lethargic with the largest US corporations continuing to implement email authentication at a measured pace. Over half of all Fortune 500 companies have assigned DMARC records, up 5% from the previous quarter. But 42% of those companies have yet to publish an enforcement policy.

Meanwhile, more than 5% have implemented a quarantine policy, which sends phishing emails to the spam folder— in line with the end of last year. And just 55 companies in the index have implemented a reject policy to block phishing attempts impersonating their brands. While that’s an 8% jump from December 2018, it means 89% of the Fortune 500 remains vulnerable to impersonation attacks, as do their customers.

Still, the largest companies in other nations may have it worse. Only 14 companies on the FTSE 100 have implemented DMARC with a reject policy, for instance. And in Australia, significant educational efforts may be required to boost DMARC adoption.

Today, only 7 companies on the ASX 100 have implemented DMARC to reject, and 55% of the ASX 100 have yet to take the first step in adopting DMARC to combat the threat from brand impersonation attacks that bear their names. In fact, Australia is getting hit harder by fraud than peers in many other countries, according to CSO. Consumers and businesses there lost more than $107 million to email-based impersonations in 2018—up 43% in just one year.

DMARC: Not Just Defense

All of this may seem discouraging, but the progress seen over the last quarter matters. The fact is, effectively deploying DMARC across hundreds, if not thousands of domains across a corporation’s entire email ecosystem can be daunting. But there’s growing evidence that in addition to squelching email-based brand impersonations, DMARC can pay some serious dividends—if it’s done right.

According to a study from Forrester Research, businesses using Agari Brand Protection™, for instance, have successfully seen impersonation attempts drop to near zero in a matter of weeks. And by avoiding the kind of negative headlines and brand erosion that result from such scams, organizations have also seen email conversion rates for their own, legitimate email programs climb an average of 10%.

Considering the average ROI in brand email campaigns is as high as $38 for every $1 spent—by far the highest of any digital channel—that can translate into millions in additional incentives to deploy DMARC now.

For more on DMARC adoption across industries and geographies, download a copy of the Q2 2019 Email Fraud & Identity Deception Trends Report

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

May 12, 2020 Chuck Holland

Hosted DMARC: Accelerating Protection Against Email-based Brand Jacking Scams

The coronavirus pandemic is shining a spotlight on the importance of hosted Domain-based Message Authentication,…

Agari Blog Image

April 7, 2020 Michael Paiko

As More Phishing Attacks Evade Detection, Increased Automation and Visibility Are Key

With a growing number of phishing attacks successfully eluding email security controls, losses for businesses…

Agari Blog Image

March 12, 2020 Michael Paiko

DMARC Report: 85% of Fortune 500 Leave Their Customers Vulnerable to Impersonation Scams

Despite increased adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC), the vast majority of…

Agari Blog Image

February 7, 2020 Ramon Peypoch

DMARC and Lookalike Domains: How to Protect Your Customers from Getting Duped

Hint: DMARC Alone Won't Cut It Think the prospect of cybercriminals using your domains to…

Agari Blog Image

January 3, 2020 Armen Najarian

DMARC for Transportation: How to Stop Email-based Brand Impersonation Attacks

Can an email authentication protocol known as DMARC protect freight and package carriers from brand…

mobile image