Email Security Blog

DMARC is expanding globally in surprising ways

Agari April 7, 2014 DMARC
Fallback Featured Image

Global DMARC coverage

DMARC recently celebrated its 2nd year anniversary, and has grown rapidly to become the de facto standard in email authentication. It currently covers 2 billion consumer mailboxes in over 70+ countries and has been adopted by most of the global consumer mailbox providers. For the purposes of this article, ISPs are defined as Internet Service Provider that also offer consumer email services and Mailbox Providers (MPs) are companies that provide web-based consumer email services such as Gmail,, etc. DMARC adoption by ISPs is a hot topic and understood to be “just a matter of time” vs questions around its value. In addition, nearly every major Secure Email Gateway (SEG) has announced support for DMARC, extending coverage into the Enterprise.

As an original founder (along with Google and Paypal) and a technical leader in the DMARC community, we wondered what DMARC’s coverage looked like country by country. Unfortunately, there is no easy way to determine this so we sharpened our pencils, reached out to our partners, and did some research. The following are some insights and observations derived from our investigation:

  •  Global DMARC coverage is well past “escape velocity” but its country adoption is uneven.
  • Countries with large local ISPs tend to have worse DMARC coverage. Conversely, countries with large global MPs generally have much better DMARC coverage.
  •  Japan & Germany are surprisingly far behind in DMARC coverage, but adoption by just 1-2 local ISPs could quickly get them to 70%+ coverage.
  •  Though country coverage is important to track, companies within the same country may see large variances in coverage of their customers.

The bifurcation of DMARC adoption by country One fact that stuck out early in our research phase, was the puzzling observation that large, established economies like Japan, Germany, France, and Italy only show 35-40% DMARC coverage while rapidly developing countries like Brazil, Mexico, and Thailand show a surprisingly high level of adoption, in excess of 80%. Our hypothesis for this somewhat counterintuitive finding is that countries with established, large domestic ISPs are moving more slowly while the developing countries are relying heavily on global MPs that have already adopted DMARC. The insular nature of the established economies ISPs is actually increasing the likelihood their consumers will be phished. Indeed, anecdotal evidence we’ve seen points to increases in phishing attacks on consumers in these larger economies (for example, the recent phishing attack on Japanese consumers by criminals purporting to be Bank of Tokyo-Mitsubishi UFJ). By contrast, rapidly developing countries have high usage of global MPs such as Gmail, Microsoft’s, Yahoo! Mail, and AOL, all of which have fully adopted DMARC.

Japan, Germany, and Italy can quickly become DMARC leaders

One encouraging fact is that Japan, Germany, and Italy can radically increase their coverage to 70%+ with only 1-2 local ISPs adopting DMARC in each country.

  • Japan’s Softbank (Yahoo! Japan) & NTT have expressed interest in adopting DMARC. Should these two local ISPs adopt DMARC, Japan would hit 75%+ DMARC coverage.
  • Germany’s 1&1 has similarly expressed support for DMARC. The adoption by 1&1 (and its sister companies GMX & would catapult Germany to 75%+ DMARC coverage.
  • Italy’s Alice & Libero stance towards DMARC adoption is not clear to us at this point, but their adoption would move Italy to 80%+ DMARC coverage.

It is this author’s opinion that these major local ISPs can have a significant impact on phishing in their respective countries and we encourage them to accelerate DMARC adoption. We also extend an invitation to these and any other ISPs considering DMARC, to have Agari assist and test their implementations as they move forward. France, however, is an interesting case. Its highly fractured ISPs market means that at least 6+ local ISPs would have to adopt DMARC in order to achieve meaningful DMARC country coverage.

DMARC coverage also varies by company

Although DMARC country coverage is an important overall metric, in speaking with our larger global clients, we found that each had a wide range of coverage numbers, even in the same country. For countries with 70%+ coverage, nearly all reported high levels (70%+) of DMARC coverage for their consumer base. What surprised us was that in countries with low DMARC coverage, many of our clients reported very high levels of coverage for their consumers. For example, in both Japan and Italy, several clients reported consumer DMARC coverage rates of over 75%. This means that over 75% of their consumers had mailboxes with active DMARC in place. We suspect that many of our client’s consumers are self-selecting global MPs and therefore have higher DMARC coverage than the country numbers would suggest. The implication is that each company should perform a quick DMARC coverage test (Agari performs such a test free of charge) to understand how many of their consumers are covered by DMARC.

Some final thoughts

Having worked with some companies in Germany & Japan, it became clear that even in situations with low (below 40%) DMARC coverage, the visibility and protection these vendors can provide is still significant. We therefore suggest that all companies adopt DMARC as a low risk & highly valuable way to gain visibility and protection of their consumer bases.

We encourage ISPs to report their plans to DMARC.ORG so this type of information can be tracked and disseminated.

Agari also commits to continue being an active missionary in DMARC adoption globally, and to continue helping large ISPs and SEGs through the process of DMARC implementation.

A note on methodology: The numbers in this article are only meant to be directionally correct. We estimate +/-5% accuracy of our derived DMARC coverage percentages. The numbers are derived by looking at B2C mail flows in each country by ISPs & MPs. We then add up the overall consumer email flows for ISPs/MPs that support DMARC in a specific country and get a rough DMARC country coverage percent. These numbers were then cross-checked with a number of Agari partners at ISPs, MPs, Email Service Providers (ESPs), and Agari Clients with global reach.

Agari Blog Image

April 27, 2022 Monica Delyani

5 Big Myths about DMARC, Debunked

With email attacks contributing to billions of lost dollars each year, a growing number of…

Computer Showing Secure Email Server

March 9, 2022 John Wilson

Securing Your Email with DMARC

Understanding the What, How, and Why of DMARC You probably already know this, but it…

Agari Blog Image

May 11, 2021 John Wilson

Office 365 + DMARC: Best Practices for Protecting Your Company & Customers From Phishing Attacks

Gartner includes DMARC, or known by its full name as Domain-based Message Authentication, Reporting &…

Agari Blog Image

May 5, 2021 Michael Paiko

5.8B Malicious Emails Spoofed Domains; 76% of Fortune 500 Still at Risk: DMARC Results from Agari

Global adoption of Domain-based Messaging, Reporting & Conformance (DMARC) topped 10.7 million email domains worldwide…

Agari Blog Image

April 27, 2021 Michael Paiko

What Is SPF and How Does It Work?

We're going to delve into what SPF for email is, how to implement it, the…

mobile image