DMARC gives brands control over who is allowed to send email on their behalf. It enables email receiver systems to recognize when an email isn’t coming from a specific brand’s approved domains and gives the brand the ability to tell the email receiver systems what to do with these unauthenticated email messages.
Failing to implement DMARC p=reject results in an easily identifiable vulnerability. Cybercriminals often spoof domains in order to send large volumes of spam, resulting in damage to the domain name’s reputation, blacklisting, and even reputational damage to the brand name itself. The effects may first show up in complaints that outgoing emails aren’t reaching recipients, often bouncing or being filtered by spam filters.
Brands looking to deploy DMARC are advised to start with DMARC p=none and work up to p=reject through a well-defined DMARC implementation plan. When enforcement policies are set properly, DMARC has been shown to drive down phishing rates impersonating brands to near zero.
For more information on DMARC and the benefits of adoption, visit www.agari.com/dmarc-guide
By crawling the entire public Internet domain space representing over 323 million domains—up from 283 million domains in our last report— ACID was able to generate a snapshot of DMARC implementation rates worldwide from October through December 2018. Overall, the DMARC adoption rate grew slightly in December. The pace of adoption slowed in December due to the holidays, but was up overall during the full fourth quarter of 2018.
As a shorthand to determining a market share figure, we tabulated the number of times specific, well-known DMARC implementation vendors were specified as a recipient of reporting feedback via DMARC. The “rua” field that accepts an email address to receive aggregate DMARC data reports is a good proxy for this calculation. With this email address, the DMARC vendor typically accepts, parses, and visualizes the data on behalf of the customer. We included active vendors with more than 1,000 domains reported.
The following table shows a basic ranking of top vendors, corresponding to the number of domains that specify that vendor in the “rua” field. We then apply a second filter indicating the all-important percentage of domains at the highest possible DMARC enforcement policy setting (p=reject) for each vendor, which is the policy level that will block phishing messages.
While the pace of DMARC adoption decelerated in the last quarter of 2018, the largest corporations around the world continue to gain traction in terms of email authentication. However, when considering the sizable proportion of “no record” and “monitor-only” policies, the current state of implementation at the start of 2019 is leaving customers, business partners, and brands vulnerable to phishing and the losses associated with email fraud.
Almost 85% percent of the Fortune 500 remain vulnerable to phishing, as are their customers. And while this is a 2% increase during the quarter, DMARC adoption remains dangerously low within the Fortune 500, enabling threat actors to exploit the considerable brand equity of even the largest, most well-known and most trusted companies in the United States.
DMARC Adoption – Nearly 50% of the Fortune 500 have yet to publish any DMARC policy. Nonetheless, this is a 2% improvement over just 90 days, and a marked improvement from 2017, when more than two-thirds of the Fortune 500 had no DMARC policy.
Quarantine Policy – Only 5% have implemented a quarantine policy to send phishing emails to the spam folder, about the same percentage as the previous quarter.
Reject Policy – One in 10 have implemented a reject policy to block phishing attempts impersonating their brands. This is up from just 8% from the previous report.
Just as with their Yankee counterparts, the majority of the top 100 United Kingdom public companies do not have a DMARC record for their corporate domains. The lack of DMARC implementation dramatically increases the likelihood of the organization falling prey to not just fraud, but also a data breach, and all the reputational and financial damage that comes with it.
DMARC Adoption – Over the fourth quarter of 2018, there was a 3% increase in the number of FTSE 100 companies publishing a DMARC policy. While an improvement, that leaves 53% of these companies open to attack.
Quarantine Policy – Only one percent have implemented a quarantine policy to send phishing attempts to spam. This percentage is unchanged from last year.
Reject Policy – Only 11 companies have implemented a reject policy to block phishing-based brand impersonations. That’s a 2% increase from the previous period.
Fewer than half of ASX companies have taken, at a minimum, the first step in adopting DMARC to combat the threat of phishing attacks bearing their name. Clearly, considerable educational initiatives are needed to increase DMARC adoption in this region.
DMARC Adoption– More than half of the ASX have yet to publish any DMARC policy.
Quarantine Policy – Two percent have implemented a quarantine policy, marking an uptick from 1% in the previous quarter. That said, this is only an increase of one organization, showcasing how few companies are thinking about email security.
Reject Policy – Only seven percent have implemented a reject policy—the same as the prior quarter.
As the chart below shows, when viewed from a DMARC policy attainment perspective, the US Government is hands down the DMARC leader across all major sectors. Driven by an executive branch security mandate implemented over the past year, a stunning 81% of domains have implemented DMARC at a p=reject, or block, enforcement policy—up from 76% in a single quarter.
Aggregating real-time DMARC statistics from the domains of top banks, social networks, healthcare providers, major government agencies, and thousands of other organizations, the Agari Email Threat Center is the largest set of detailed DMARC data in the world based both on email volume and domains. To generate real-time threat intelligence, the Agari Email Threat Center analyzed more than 583 billion emails over 18,729 domains from October through December 2018.
Note: The Threat Center tracks authentication statistics across active domains belonging to Agari’s customers. Passive or defensive domains that don’t process an email will not be reflected in the totals. Overall, as indicated previously, the Agari reject rate across all industries in the global domain snapshot is 82%.
Segmenting by the same industry groupings presented in the previous section, we compare the respective enforcement levels for each vertical category with that of Agari customers. Consistent with overall industry dynamics, the government sector (heavily biased toward the US government) continues to dominate Threat Center rankings. Following the government, healthcare has edged out the technology sector as the next-highest ranked vertical for the percentage of domains at enforcement.
This is notable, as healthcare as a vertical moved from the lowest enforcement rate in the Threat Center in Q4 2017 to rank second by year-end 2018. This momentum is likely driven by the National Health ISAC, which issued a companion pledge for DMARC attainment to match that of the US Government’s Binding Operational Directive (BOD) 18-01. BOD 18-01 was issued in October 2017 and has been the driving factor behind the sky-high adoption rates for executive branch agencies.
For instance, a retail brand can use BIMI to display its logo next to its messages, enhancing its brand presence as well as providing assurance to recipients that the message is safe to open. BIMI will work only with an email that has been authenticated through DMARC standard and for which the domain owner has specified a DMARC policy of enforcement, so only authenticated messages can be delivered.