DMARC gives brands the ability to help email receiver systems recognize when an email isn’t coming from a specific brand’s approved domains, and gives the brand the ability to tell the email receiver systems what to do with these unauthenticated email messages. Policy settings include monitor “p=none,” instructing the email receiver system to allow the email to be delivered anyway; “p=quarantine,” which places in the email in the spam folder, and “p=reject,” which blocks the email from ever reaching the inbox. When enforcement policies are set properly, DMARC helps ensure only authorized senders can use an organization’s domain name in emails, and has been shown to drive down phishing rates impersonating brands down to near zero.
For more information on DMARC and the benefits of adoption see: agari.com/dmarc-guide
During the analyzed period, Agari captured an unprecedented view into the state of DMARC adoption rates and enforcement policies by crawling the entire public Internet domain space representing over 283 million domains, generating a snapshot of DMARC implementation rates worldwide. Agari took a snapshot in July 2018, followed by a snapshot of the data in October 2018.
As a shorthand to determining a market share figure, we tabulated the number of times specific well-known DMARC implementation vendors were specified as a recipient of reporting feedback via DMARC. The “rua” field that accepts an email address to receive aggregate DMARC data reports is a good proxy for this calculation. With this email address, the DMARC vendor typically accepts, parses, and visualizes the data on behalf of the customer. We included active vendors with more than 1,000 domains reported.
The following table shows a basic ranking of top vendors, corresponding to the number of domains that specify that vendor in the rua” field. We then applied a second filter indicating the all-important percentage of domains at the highest possible DMARC enforcement policy (p=reject) for each vendor, which is the policy level that will block phishing messages.
Agari observed many examples of dubious or tangential use of DMARC configurations, which goes a long way to explain the growth in raw policies we witnessed in Q3 2018. For example, during the course of our analysis, Agari tracked substantial movement among domain registrars or domain monetization companies which, as a matter of business process, configured DMARC records. For example, one firm, Team Internet, registered over 100,000 incremental domains over the course of the analyzed period, all of which had DMARC records. Another registrar based out of Russia, snbox.ru, registered over 300,000 new domains, all set to a p=reject policy. Many of these domains were very similar (or look-alike) domains to common and well-known brands, such as the Internet bandwidth site “speedtest” or the popular gaming site “Kongregate.” Our hypothesis is that for these domain monetization firms, it’s likely best practice to ensure that domains of this ilk do not end up on takedown sites, on IP reputation blacklists, or being used by cybercriminals in phishing scams, hence the strategy to assign a DMARC reject policy to the domain.
Our additional research indicates that, across the board, the largest corporations around the world have in fact made strides with email authentication. However, when considering the prevailing proportion of “no record” and “monitor-only” policies, the state of implementation is leaving their customers, business partners, and brand vulnerable to phishing and the losses associated with email fraud.
Almost 87% percent of the Fortune 500 are vulnerable to phishing, leaving their customers, employees and brand name exposed to fraud. The Fortune 500 are the largest, most well-known and most trusted companies in the United States. Unfortunately, DMARC adoption is dangerously low within the Fortune 500, enabling malicious actors to abuse that trust and leaving corporations unprepared to prevent it.
DMARC Adoption – Almost half (49% percent) of the Fortune 500 have not published any DMARC policy. This is, however, an improvement over the previous year, in which two-thirds (67%) of the Fortune 500 had no DMARC policy
Quarantine Policy – Only five percent have implemented a Quarantine policy to send phishing emails to the spam folder.
Reject Policy – Only 8 percent have implemented a Reject policy to block phishing attempts. This is an increase of over 3 percent from the previous period.
Adopting the same methodology as referenced from the Fortune 500 analysis, it reveals that, similarly to the United States, the majority of the top 100 United Kingdom public companies do not have a DMARC record for their corporate domain. The lack of implementation of DMARC within an organization exposes the business not only to the potential for fraud but also a data breach, and all the public reputational and financial penalties that are associated with an incident, while simultaneously eroding the faith that employees and customers have in the brand.
DMARC Adoption – Over half (56 percent) of the Financial Times Stock Exchange 100 have not published any DMARC policy, which represents an 11 percentage point increase over the previous period.
Quarantine Policy – Only one percent have implemented a Quarantine policy to send phishing attempts to spam. This percentage is unchanged from last year.
Reject Policy – Only nine percent have implemented a Reject policy to block phishing attempts.
With just under a third of Australian businesses have taken, at a minimum, the first step in adopting DMARC to combat the threat of digital deception, it is evident that a high level of education still needs to be undertaken in this market.
DMARC Adoption – Almost two-thirds (60 percent) of the Australian Securities Exchange (ASX 100) have not published any DMARC policy.
Quarantine Policy – Only one percent have implemented a Quarantine policy.
Reject Policy – Only seven percent have implemented a Reject policy to block phishing attempts, which doesn’t amount to much increase from last year’s 3% reject rate.
We compared these statistics to the United States government domains, which were the subject of a high level, top-down mandate in 2017 to implement security controls, with DMARC enforcement being a key component. As the chart below shows, when viewed from a DMARC policy attainment perspective, the US Government could be the poster child for a sector-wide DMARC implementation success story. When looking at DMARC enforcement (or domain policies with a p=reject or block configuration), the US Government is the clear leader with 76% of its in-scope domains at an enforcement policy.
The reject or enforcement policy ensures that mailbox providers block any malicious emails from spoofing an organization’s brand or domain name. It’s telling that the government’s progress far outpaces dominant business-to-consumer sectors such as retail and healthcare, for example, which depend on a trusted communication channel to their customers. The finance industry, which has the highest adoption and rejects other than the U.S government, was an early adopter of DMARC and has historically been a top target for initial phishing attacks. Yet, in only one year, driven by the BOD 18-01 mandate, the US federal government was able to far surpass all other sectors.
For more information on the BOD 18-01 and a detailed analysis of federal agency progress and policy attainment, see: agari.com/fedreport