DMARC recently celebrated its 2nd year anniversary, and has grown rapidly to become the de facto standard in email authentication. It currently covers 2 billion consumer mailboxes in over 70+ countries and has been adopted by most of the global consumer mailbox providers. For the purposes of this article, ISPs are defined as Internet Service Provider that also offer consumer email services and Mailbox Providers (MPs) are companies that provide web-based consumer email services such as Gmail, Outlook.com, etc. DMARC adoption by ISPs is a hot topic and understood to be “just a matter of time” vs questions around its value. In addition, nearly every major Secure Email Gateway (SEG) has announced support for DMARC, extending coverage into the Enterprise.
As an original founder (along with Google and Paypal) and a technical leader in the DMARC community, we wondered what DMARC’s coverage looked like country by country. Unfortunately, there is no easy way to determine this so we sharpened our pencils, reached out to our partners, and did some research. The following are some insights and observations derived from our investigation:
The bifurcation of DMARC adoption by country One fact that stuck out early in our research phase, was the puzzling observation that large, established economies like Japan, Germany, France, and Italy only show 35-40% DMARC coverage while rapidly developing countries like Brazil, Mexico, and Thailand show a surprisingly high level of adoption, in excess of 80%. Our hypothesis for this somewhat counterintuitive finding is that countries with established, large domestic ISPs are moving more slowly while the developing countries are relying heavily on global MPs that have already adopted DMARC. The insular nature of the established economies ISPs is actually increasing the likelihood their consumers will be phished. Indeed, anecdotal evidence we’ve seen points to increases in phishing attacks on consumers in these larger economies (for example, the recent phishing attack on Japanese consumers by criminals purporting to be Bank of Tokyo-Mitsubishi UFJ). By contrast, rapidly developing countries have high usage of global MPs such as Gmail, Microsoft’s Outlook.com, Yahoo! Mail, and AOL, all of which have fully adopted DMARC.
One encouraging fact is that Japan, Germany, and Italy can radically increase their coverage to 70%+ with only 1-2 local ISPs adopting DMARC in each country.
It is this author’s opinion that these major local ISPs can have a significant impact on phishing in their respective countries and we encourage them to accelerate DMARC adoption. We also extend an invitation to these and any other ISPs considering DMARC, to have Agari assist and test their implementations as they move forward. France, however, is an interesting case. Its highly fractured ISPs market means that at least 6+ local ISPs would have to adopt DMARC in order to achieve meaningful DMARC country coverage.
Although DMARC country coverage is an important overall metric, in speaking with our larger global clients, we found that each had a wide range of coverage numbers, even in the same country. For countries with 70%+ coverage, nearly all reported high levels (70%+) of DMARC coverage for their consumer base. What surprised us was that in countries with low DMARC coverage, many of our clients reported very high levels of coverage for their consumers. For example, in both Japan and Italy, several clients reported consumer DMARC coverage rates of over 75%. This means that over 75% of their consumers had mailboxes with active DMARC in place. We suspect that many of our client’s consumers are self-selecting global MPs and therefore have higher DMARC coverage than the country numbers would suggest. The implication is that each company should perform a quick DMARC coverage test (Agari performs such a test free of charge) to understand how many of their consumers are covered by DMARC.
Having worked with some companies in Germany & Japan, it became clear that even in situations with low (below 40%) DMARC coverage, the visibility and protection these vendors can provide is still significant. We therefore suggest that all companies adopt DMARC as a low risk & highly valuable way to gain visibility and protection of their consumer bases.
We encourage ISPs to report their plans to DMARC.ORG so this type of information can be tracked and disseminated.
Agari also commits to continue being an active missionary in DMARC adoption globally, and to continue helping large ISPs and SEGs through the process of DMARC implementation.
A note on methodology: The numbers in this article are only meant to be directionally correct. We estimate +/-5% accuracy of our derived DMARC coverage percentages. The numbers are derived by looking at B2C mail flows in each country by ISPs & MPs. We then add up the overall consumer email flows for ISPs/MPs that support DMARC in a specific country and get a rough DMARC country coverage percent. These numbers were then cross-checked with a number of Agari partners at ISPs, MPs, Email Service Providers (ESPs), and Agari Clients with global reach.