Email Security Blog

5.8B Malicious Emails Spoofed Domains; 76% of Fortune 500 Still at Risk: DMARC Results from Agari

Michael Paiko May 5, 2021 DMARC

Global adoption of Domain-based Messaging, Reporting & Conformance (DMARC) topped 10.7 million email domains worldwide in 2020—reflecting a 32% increase in just six months, according to our H1 2021 Email Fraud & Identity Trends Report.

The total number of domains with DMARC set to its highest level of protection against email spoofing climbed to 3.8 million during the same period. That’s up a staggering 87% from June 2020.

But don’t break out the champagne just yet. While any rise in DMARC adoption is welcome, these figures represent just a tiny fraction of the half-billion domains our researchers scanned as part of the twice-yearly study.

During a six-month period that saw US business walloped by nearly 6 billion malicious emails spoofing corporate domains in healthcare, technology, and other sectors, DMARC adoption among Fortune 500 companies was a good news-bad news situation at best.

Fortune 500: DMARC Adoption Amid Pandemic

First the good news. The percentage of Fortune 500 companies with domains protected by DMARC at its highest enforcement level reached 24% by the end of December. That’s up 20% from mid-year.

But it still means 76% of the nation’s most prominent companies remain vulnerable to being impersonated in phishing attacks targeting their customers, partners, and the general public.

Maybe it got put on the backburner because of everything else 2020 threw our way. But with 57% of US employees working from home and hamstrung by housebound children, frustrating vaccine rollouts, and countless other distractions, email threat actors appear to have found plentiful targets for socially-engineered phishing attacks.

Sometimes these fraudsters seek to scam businesses and consumers out of money through fraudulent invoices or payment scams. In others, it’s to pilfer credentials to gain the toehold they need to wreak havoc. In addition to nearly $700 million in direct financial losses each month since 2016, advanced email threats like the kind in the Solar Winds case suggest the price tag could go much (much) higher.

Businesses that get impersonated in such attacks can face lost business and even lawsuits. Recent case law has found the party most able to prevent a cyberattack from happening can be liable for the losses that stem from them. Factor in strict new regulations and the losses can add up quick.

Thankfully, there is an answer in DMARC.

Burden of Spoofs: Defending Against Brand Imposters

First introduced in 2012, DMARC gives brands control over who is allowed to send emails on their behalf.

It does this by enabling email providers to recognize when an email isn’t coming from a specific brand’s approved domains, and gives the brand the ability to tell receiving systems what to do with these unauthorized email messages. DMARC’s most aggressive enforcement policy is reject (p=reject), which means email messages that don’t pass authentication will be blocked from reaching their intended recipients.

So why such low adoption rates? While deploying DMARC on a single domain is relatively simple, implementing it across an enterprise’s total universe of domains—which can span dozens of internal departments and external email distribution partners—can get very complicated, very fast.

But according to a study from Forrester Research, DMARC deployments using automated implementation tools like those from Agari have been shown to drive phishing-based brand impersonation scams to near zero almost instantly. Today, customers in numerous categories use Agari Brand Protection to manage nearly 257,000 domains with 81% at p=reject—far outperforming their industry peers.

Gartner: DMARC is a Top Priority for 2021

There are a couple other important reasons why DMARC implementation should top corporate agendas this year. When companies are impersonated, even their own legitimate email marketing programs can be rendered radioactive to consumers.

At a time when email returns $40 for every $1 spent, email remains the most important digital channel you have. It’s also the single most important source of identity verification when your customers transact with you online. But when users struggle to distinguish real messages from fakes, your online sales can tank.

By comparison, Forrester estimates DMARC deployment can boost email conversion rates as much as 10%, perhaps because the fraudsters seeking to impersonate your brand never hit your customers’ radar (or their inboxes). Which may also help explain why Gartner ranks DMARC as a top priority to every organization in 2021. With Q1 already coming to an end, the clock is ticking.

To learn more about recent trends in DMARC adoption, download the H1 2021 Email Fraud & Identity Deception Trends Report.

Agari Blog Image

May 11, 2021 John Wilson

Office 365 + DMARC: Best Practices for Protecting Your Company & Customers From Phishing Attacks

Gartner includes DMARC, or known by its full name as Domain-based Message Authentication, Reporting &…

Agari Blog Image

April 27, 2021 Michael Paiko

What Is SPF and How Does It Work?

We're going to delve into what SPF for email is, how to implement it, the…

Agari Blog Image

April 20, 2021 Autumn Tyr-Salvia

What is DMARC? Effects on Email Spoofing & Deliverability

Wondering how DMARC affects email? Here’s a comprehensive guide explaining what DMARC is, how it…

Agari Blog Image

February 11, 2021 Crane Hassold

Cosmic Lynx Returns in 2021 with Updated Tricks

In July 2020, we published a report on a Russian-based BEC group we called Cosmic…

Agari Blog Image

February 9, 2021 Michael Paiko

DMARC 101 (Part II) – DMARC Fills the Holes Left by SPF and DKIM

You can catch up on Part 1 here. As we discussed in part one of…

mobile image