Search Close
Identity Intelligence Blog

DMARC is expanding globally in surprising ways

Agari April 7th, 2014 DMARC
Fallback Featured Image

Global DMARC coverage

DMARC recently celebrated its 2nd year anniversary, and has grown rapidly to become the de facto standard in email authentication. It currently covers 2 billion consumer mailboxes in over 70+ countries and has been adopted by most of the global consumer mailbox providers. For the purposes of this article, ISPs are defined as Internet Service Provider that also offer consumer email services and Mailbox Providers (MPs) are companies that provide web-based consumer email services such as Gmail, Outlook.com, etc. DMARC adoption by ISPs is a hot topic and understood to be “just a matter of time” vs questions around its value. In addition, nearly every major Secure Email Gateway (SEG) has announced support for DMARC, extending coverage into the Enterprise.

As an original founder (along with Google and Paypal) and a technical leader in the DMARC community, we wondered what DMARC’s coverage looked like country by country. Unfortunately, there is no easy way to determine this so we sharpened our pencils, reached out to our partners, and did some research. The following are some insights and observations derived from our investigation:

  •  Global DMARC coverage is well past “escape velocity” but its country adoption is uneven.
  • Countries with large local ISPs tend to have worse DMARC coverage. Conversely, countries with large global MPs generally have much better DMARC coverage.
  •  Japan & Germany are surprisingly far behind in DMARC coverage, but adoption by just 1-2 local ISPs could quickly get them to 70%+ coverage.
  •  Though country coverage is important to track, companies within the same country may see large variances in coverage of their customers.

The bifurcation of DMARC adoption by country One fact that stuck out early in our research phase, was the puzzling observation that large, established economies like Japan, Germany, France, and Italy only show 35-40% DMARC coverage while rapidly developing countries like Brazil, Mexico, and Thailand show a surprisingly high level of adoption, in excess of 80%. Our hypothesis for this somewhat counterintuitive finding is that countries with established, large domestic ISPs are moving more slowly while the developing countries are relying heavily on global MPs that have already adopted DMARC. The insular nature of the established economies ISPs is actually increasing the likelihood their consumers will be phished. Indeed, anecdotal evidence we’ve seen points to increases in phishing attacks on consumers in these larger economies (for example, the recent phishing attack on Japanese consumers by criminals purporting to be Bank of Tokyo-Mitsubishi UFJ). By contrast, rapidly developing countries have high usage of global MPs such as Gmail, Microsoft’s Outlook.com, Yahoo! Mail, and AOL, all of which have fully adopted DMARC.

Japan, Germany, and Italy can quickly become DMARC leaders

One encouraging fact is that Japan, Germany, and Italy can radically increase their coverage to 70%+ with only 1-2 local ISPs adopting DMARC in each country.

  • Japan’s Softbank (Yahoo! Japan) & NTT have expressed interest in adopting DMARC. Should these two local ISPs adopt DMARC, Japan would hit 75%+ DMARC coverage.
  • Germany’s 1&1 has similarly expressed support for DMARC. The adoption by 1&1 (and its sister companies GMX & web.de) would catapult Germany to 75%+ DMARC coverage.
  • Italy’s Alice & Libero stance towards DMARC adoption is not clear to us at this point, but their adoption would move Italy to 80%+ DMARC coverage.

It is this author’s opinion that these major local ISPs can have a significant impact on phishing in their respective countries and we encourage them to accelerate DMARC adoption. We also extend an invitation to these and any other ISPs considering DMARC, to have Agari assist and test their implementations as they move forward. France, however, is an interesting case. Its highly fractured ISPs market means that at least 6+ local ISPs would have to adopt DMARC in order to achieve meaningful DMARC country coverage.

DMARC coverage also varies by company

Although DMARC country coverage is an important overall metric, in speaking with our larger global clients, we found that each had a wide range of coverage numbers, even in the same country. For countries with 70%+ coverage, nearly all reported high levels (70%+) of DMARC coverage for their consumer base. What surprised us was that in countries with low DMARC coverage, many of our clients reported very high levels of coverage for their consumers. For example, in both Japan and Italy, several clients reported consumer DMARC coverage rates of over 75%. This means that over 75% of their consumers had mailboxes with active DMARC in place. We suspect that many of our client’s consumers are self-selecting global MPs and therefore have higher DMARC coverage than the country numbers would suggest. The implication is that each company should perform a quick DMARC coverage test (Agari performs such a test free of charge) to understand how many of their consumers are covered by DMARC.

Some final thoughts

Having worked with some companies in Germany & Japan, it became clear that even in situations with low (below 40%) DMARC coverage, the visibility and protection these vendors can provide is still significant. We therefore suggest that all companies adopt DMARC as a low risk & highly valuable way to gain visibility and protection of their consumer bases.

We encourage ISPs to report their plans to DMARC.ORG so this type of information can be tracked and disseminated.

Agari also commits to continue being an active missionary in DMARC adoption globally, and to continue helping large ISPs and SEGs through the process of DMARC implementation.

A note on methodology: The numbers in this article are only meant to be directionally correct. We estimate +/-5% accuracy of our derived DMARC coverage percentages. The numbers are derived by looking at B2C mail flows in each country by ISPs & MPs. We then add up the overall consumer email flows for ISPs/MPs that support DMARC in a specific country and get a rough DMARC country coverage percent. These numbers were then cross-checked with a number of Agari partners at ISPs, MPs, Email Service Providers (ESPs), and Agari Clients with global reach.

Leave a Reply

Your email will not be published. All fields are required.

October 16, 2018 Fareed Bukhari

One Year Later: Federal Mandate for Email Authentication Huge Success

October 16, 2018 Patrick Peterson

DMARC: A 12-Month Triumph for DHS—and the Nation

August 10, 2018 Patrick Peterson

Half of Federal Agencies Racing to Meet DMARC Active Enforcement Deadline

July 17, 2018 AJ Shipley

5 Big Myths about DMARC, Debunked

July 2, 2018 Armen Najarian

Brand Impersonation Scams Skyrocketing—is DMARC Email Security the Answer?

mobile image