Each quarter, Agari publishes insights into new threats for both inbound and outbound email. From October to December, we found:

  • Account takeover-based threats account for 20% of the inbound attacks that target employees.
  • While 70% of brand impersonation attacks spoofed Microsoft, another notable impersonation target was the IRS.
  • Costs reported to the Security Operations Center (SOCs) to triage, investigate, and remediate threats exceeded $4.86M.
  • The volume of raw DMARC domains surged to 6.1 million, but major businesses are still lagging in adoption rates.

Download your copy of the Q1 2019 report now to learn which brands and identities were targeted most.

Customer Phishing and DMARC Trends

 

DMARC Confidential:
The Industry’s Largest Snapshot of Adoption Rates Worldwide

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an open standard email authentication protocol that helps businesses protect their brands and domains from being used to send fraudulent phishing emails. In a snapshot of 323 million Internet domains—the largest of any industry survey— we break down the state of DMARC implementation worldwide from October through December 2018.

Ditch the Domain Spoofing

DMARC gives brands control over who is allowed to send email on their behalf. It enables email receiver systems to recognize when an email isn’t coming from a specific brand’s approved domains and gives the brand the ability to tell the email receiver systems what to do with these unauthenticated email messages.

domains-dmarc-policies-2019

Failing to implement DMARC p=reject results in an easily identifiable vulnerability. Cybercriminals often spoof domains in order to send large volumes of spam, resulting in damage to the domain name’s reputation, blacklisting, and even reputational damage to the brand name itself. The effects may first show up in complaints that outgoing emails aren’t reaching recipients, often bouncing or being filtered by spam filters.

Brands looking to deploy DMARC are advised to start with DMARC p=none and work up to p=reject through a well-defined DMARC implementation plan. When enforcement policies are set properly, DMARC has been shown to drive down phishing rates impersonating brands to near zero.

For more information on DMARC and the benefits of adoption, visit www.agari.com/dmarc-guide

By crawling the entire public Internet domain space representing over 323 million domains—up from 283 million domains in our last report— ACID was able to generate a snapshot of DMARC implementation rates worldwide from October through December 2018. Overall, the DMARC adoption rate grew slightly in December. The pace of adoption slowed in December due to the holidays, but was up overall during the full fourth quarter of 2018.

Key Findings
  • By January, ACID identified 6.1 million domains with valid DMARC records, up from 5.3 million in October. This represents modest growth of roughly 15% quarter over quarter.
  • Factoring in automated actions of domain registrar-initiated DMARC records, the number of DMARC policies reduces to about 4.4 million. 
  • While the absolute volume of DMARC policies increased, so did the total universe of domains examined in our survey. Monitor-only continues to be the most common policy.

An Unprecedented View:
The Race to Increase Domains and Enforcement Levels

Each quarter, we set out to get a firm read on how vendors and DMARC service providers are helping organizations use DMARC to protect their domains from email impersonation scams. The size of our dataset offers an unprecedented view into the number of domains for which vendors have established DMARC records, as well as how many of those records have been set to the highest enforcement level of “p=reject.” This combination of data points offers a snapshot of market share and success rates for each of these vendors.

Vendor Scorecard

As a shorthand to determining a market share figure, we tabulated the number of times specific, well-known DMARC implementation vendors were specified as a recipient of reporting feedback via DMARC. The “rua” field that accepts an email address to receive aggregate DMARC data reports is a good proxy for this calculation. With this email address, the DMARC vendor typically accepts, parses, and visualizes the data on behalf of the customer. We included active vendors with more than 1,000 domains reported.

The following table shows a basic ranking of top vendors, corresponding to the number of domains that specify that vendor in the “rua” field. We then apply a second filter indicating the all-important percentage of domains at the highest possible DMARC enforcement policy setting (p=reject) for each vendor, which is the policy level that will block phishing messages.

dmarc-observations-Q4-2018

Key Findings
  • The Sweet Spot: Category-leading vendors achieve that perfect combination of a large number of domains serviced across a wide range of industries matched with high levels of top enforcement policy implementation. Finding a company that has high marks in both is essential for those organizations looking to see success with DMARC implementation.
  • Higher Quantities Can See Lower Enforcement: The “Goldilocks” ratio can be harder to achieve for mid-tier vendors, which tend to struggle with the radio of domains they service and what percentage of those records they succeed at converting to the highest enforcement policies. Category leaders with high numbers of enterprise clients can face this challenge as well, as it’s harder to have more enterprise domains set to reject.
  • Quality Varies Wildly: Quality Varies Wildly: About 500,000 of the domains that deployed DMARC are using a recognized DMARC provider, and about 2.8 million domains have DMARC deployed without using a major DMARC service provider. When selecting a vendor, enterprises with hundreds or thousands of domains should consider vendors that have both high numbers of domains and a high percentage of enforcement rate in order to better ensure success.

Q1 DMARC Global Sector Analysis:
Fortune 500

As we have done in the past, we looked at publicly available adoption data for the Fortune 500, Financial Times Stock Exchange 100 (FTSE 100), and Australian Securities Exchange 100 (ASX 100) to gauge adoption trends among prominent global organizations across geographies.

While the pace of DMARC adoption decelerated in the last quarter of 2018, the largest corporations around the world continue to gain traction in terms of email authentication. However, when considering the sizable proportion of “no record” and “monitor-only” policies, the current state of implementation at the start of 2019 is leaving customers, business partners, and brands vulnerable to phishing and the losses associated with email fraud.

Almost 85% percent of the Fortune 500 remain vulnerable to phishing, as are their customers. And while this is a 2% increase during the quarter, DMARC adoption remains dangerously low within the Fortune 500, enabling threat actors to exploit the considerable brand equity of even the largest, most well-known and most trusted companies in the United States.

fortune-500-DMARC-q1-2019

DMARC Adoption – Nearly 50% of the Fortune 500 have yet to publish any DMARC policy. Nonetheless, this is a 2% improvement over just 90 days, and a marked improvement from 2017, when more than two-thirds of the Fortune 500 had no DMARC policy.

Quarantine Policy – Only 5% have implemented a quarantine policy to send phishing emails to the spam folder, about the same percentage as the previous quarter.

Reject Policy – One in 10 have implemented a reject policy to block phishing attempts impersonating their brands. This is up from just 8% from the previous report.

Q1 DMARC Global Sector Analysis:
FTSE 100

The Financial Times Stock Exchange 100 Index, more commonly known as the FTSE 100, is a share index of the top 100 companies listed on the London Stock Exchange (LSE) and is seen as the benchmark reference for those seeking an indication on the performance of the major companies listed in the United Kingdom.

Just as with their Yankee counterparts, the majority of the top 100 United Kingdom public companies do not have a DMARC record for their corporate domains. The lack of DMARC implementation dramatically increases the likelihood of the organization falling prey to not just fraud, but also a data breach, and all the reputational and financial damage that comes with it.

FTSE-100-DMARC-q1-2019

DMARC Adoption – Over the fourth quarter of 2018, there was a 3% increase in the number of FTSE 100 companies publishing a DMARC policy. While an improvement, that leaves 53% of these companies open to attack.

Quarantine Policy – Only one percent have implemented a quarantine policy to send phishing attempts to spam. This percentage is unchanged from last year.

Reject Policy – Only 11 companies have implemented a reject policy to block phishing-based brand impersonations. That’s a 2% increase from the previous period.

Q1 DMARC Global Sector Analysis:
ASX 100

The ASX 100 is Australia’s stock market index, representing its top 100 large and mid-cap securities.

Fewer than half of ASX companies have taken, at a minimum, the first step in adopting DMARC to combat the threat of phishing attacks bearing their name. Clearly, considerable educational initiatives are needed to increase DMARC adoption in this region.

Australia-100-DMARC-q1-2019

DMARC Adoption– More than half of the ASX have yet to publish any DMARC policy.

Quarantine Policy – Two percent have implemented a quarantine policy, marking an uptick from 1% in the previous quarter. That said, this is only an increase of one organization, showcasing how few companies are thinking about email security.

Reject Policy – Only seven percent have implemented a reject policy—the same as the prior quarter.

Q1 Large Sector Analysis:
US Government Maintains Its Lead

As part of our analysis of DMARC adoption, we examine public DNS records for primary corporate and government website domains of large organizations with revenues above $1 billion.

As the chart below shows, when viewed from a DMARC policy attainment perspective, the US Government is hands down the DMARC leader across all major sectors. Driven by an executive branch security mandate implemented over the past year, a stunning 81% of domains have implemented DMARC at a p=reject, or block, enforcement policy—up from 76% in a single quarter.

DMARC-policy-enforcement-industries-2019

Q1 Industry Enforcement Comparison:
The Agari Advantage by Vertical

A look at how enforcement rates across industries compare with those of Agari customers, according to data from the Agari Email Threat Center.

Aggregating real-time DMARC statistics from the domains of top banks, social networks, healthcare providers, major government agencies, and thousands of other organizations, the Agari Email Threat Center is the largest set of detailed DMARC data in the world based both on email volume and domains. To generate real-time threat intelligence, the Agari Email Threat Center analyzed more than 583 billion emails over 18,729 domains from October through December 2018.

percentage-domain-enforcement-2019

Note: The Threat Center tracks authentication statistics across active domains belonging to Agari’s customers. Passive or defensive domains that don’t process an email will not be reflected in the totals. Overall, as indicated previously, the Agari reject rate across all industries in the global domain snapshot is 82%.

Segmenting by the same industry groupings presented in the previous section, we compare the respective enforcement levels for each vertical category with that of Agari customers. Consistent with overall industry dynamics, the government sector (heavily biased toward the US government) continues to dominate Threat Center rankings. Following the government, healthcare has edged out the technology sector as the next-highest ranked vertical for the percentage of domains at enforcement.

This is notable, as healthcare as a vertical moved from the lowest enforcement rate in the Threat Center in Q4 2017 to rank second by year-end 2018. This momentum is likely driven by the National Health ISAC, which issued a companion pledge for DMARC attainment to match that of the US Government’s Binding Operational Directive (BOD) 18-01. BOD 18-01 was issued in October 2017 and has been the driving factor behind the sky-high adoption rates for executive branch agencies.

BIMI Builds Momentum:
Taking DMARC One Step Further

Brand Indicators for Message Identification (BIMI) is a standardized way for brands to publish their brand logo online with built-in protections that safeguard the brand, application providers, and consumers from impersonation attempts. BIMI-enabled logos be easily incorporated into messaging and social media applications.

For instance, a retail brand can use BIMI to display its logo next to its messages, enhancing its brand presence as well as providing assurance to recipients that the message is safe to open. BIMI will work only with an email that has been authenticated through DMARC standard and for which the domain owner has specified a DMARC policy of enforcement, so only authenticated messages can be delivered.

Q1-brand-snapshot-brand-adoption-2019

12345
Close button
12345
Mail Letter

Would you like the confidence to trust your inbox?