Our quarterly analysis finds that business email compromise and brand impersonation scams continue to evolve at a relentless pace, and could even put major US presidential candidates at risk.

Download the report for our latest statistics, including:

  • Nearly 30% of BEC attacks now originate from compromised accounts
  • Employee-reported phishing attacks reaching SOCs surge 25%
  • DMARC adoption rises, but 90% of the Fortune 500 are still unprotected
  • Over 90% of current presidential candidates remain unprotected against email threats


Customer Phishing and DMARC Trends

Key Findings

By the end of March, ACID identified 6.75 million domains with valid DMARC records, up roughly 1% quarter-over-quarter.

Germany is the #1 region responsible for raw domains with DMARC records, though the United States took the top prize for the percentage of domains at a reject policy.

Only 25% of domains are configured to send an email, with DMARC settings on the vast majority set to monitor-only.

DMARC Adoption Snapshot
The Industry’s Largest Ongoing Study of Adoption Rates Worldwide

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an open standard email authentication protocol that helps businesses protect their brands and domains from being used to send fraudulent phishing emails. In a snapshot of more than 328 million Internet domains—the largest of any industry survey—we break down the state of DMARC implementation worldwide from January 1 through March 31, 2019.

Take Control of Your Domains

DMARC gives brands control over who is allowed to send emails on their behalf. It enables email receiver systems to recognize when an email isn’t coming from a specific brand’s approved domains and gives the brand the ability to tell the email receiver systems what to do with those unauthenticated email messages.

Failing to implement DMARC at p=reject results in an easily identifiable vulnerability. Cybercriminals often spoof domains in order to send large volumes of phishing attacks targeting the domain owner’s customers and partners. The ripple effect can be significant. The domain may suffer reputational damage, resulting in being blacklisted by some receiver infrastructures, or experience reduced deliverability rates for legitimate email, hurting email-based revenue streams. The effects may first show up in complaints that outgoing emails aren’t reaching recipients, often bouncing or being filtered by spam filters.


For more information on DMARC and the benefits of adoption, visit agari.com/dmarc-guide

Brands looking to deploy DMARC are advised to start with DMARC p=none and work up to p=reject through a well-defined DMARC implementation plan. When enforcement policies are set properly, DMARC has been shown to drive down phishing rates impersonating brands to near zero.

The Picture Grows Sharper

By crawling the entire public Internet domain space representing over 328 million domains, ACID was able to generate its latest snapshot of DMARC implementation rates worldwide from January through March 2019. Overall, there was continued growth in the DMARC adoption rate, but at a much slower pace than the previous quarter.

Q2 Scorecard
Vendors and DMARC Service Providers

Each quarter, we assess how vendors and DMARC service providers are helping organizations use DMARC to protect their domains from email impersonation scams. The size of our dataset offers an unprecedented view into the number of domains for which vendors have established DMARC records, as well as how many of those records have been set to the highest enforcement level of p=reject. This combination of data points offers a snapshot of market share and success rates for each of these vendors.

How the Scorecard Works

As a shorthand to determining a market share figure, we tabulated the number of times specific, well-known DMARC implementation vendors were specified as a recipient of reporting feedback via DMARC. The “rua” field that accepts an email address to receive aggregate DMARC data reports is a good proxy for this calculation. With this email address, the DMARC vendor typically accepts, parses, and visualizes the data on behalf of the customer. We included active vendors with more than 1,000 domains reported.

Q2 Vendor Rankings by Total Share of Domains and Percentage of Domains with Reject Policies

The chart below provides a basic ranking of top vendors, corresponding to the number of domains that specify that particular vendor in the “rua” field. We then apply a second filter indicating the all-important percentage of domains at the highest possible DMARC enforcement policy setting of p=reject for each vendor, which is the policy level that will block phishing messages.

Quarter-over-quarter, there was some movement in overall vendor rankings, with slight improvements for some second tier vendors in terms of the total percentage of domains with DMARC set at its top enforcement level.

Assessing Vendor Attributes

THE SWEET SPOT: Category-leading vendors achieve that perfect combination of a large number of domains serviced across a wide range of industries matched with high levels of top enforcement policy implementation. Finding a company that has high marks in both is essential for those organizations looking to see success with DMARC implementation.

HIGHER QUANTITIES CAN SEE LOWER ENFORCEMENT: The “Goldilocks” ratio can be harder to achieve for mid-tier vendors, which tend to struggle with the ratio of domains they service and what percentage of those records they succeed at converting to the highest enforcement policies. Category leaders with high numbers of enterprise clients can face this challenge as well, as it is harder to have more enterprise domains set to reject.

QUALITY VARIES WILDLY: About 315,000 of the domains that deployed DMARC are using a recognized DMARC provider, and about 6 million domains have DMARC deployed without using a major DMARC service provider. When selecting a vendor, enterprises with hundreds or thousands of domains should consider vendors that have both high numbers of domains and a high-percentage enforcement rate in order to better ensure success.


DMARC Adoption By Geography

As a new feature to the quarterly trends report, ACID is looking at the state of DMARC adoption by key geographies. As measured by domains for which a country code can be validated, this data encompasses roughly 50% of our total pool of analyzed domains worldwide.

Germany Ahead in DMARC Records, the United States in Enforcement

According to our analysis, Germany leads all survey geographies in registered domains with established DMARC records, accounting for nearly a sixth of the world’s DMARC records overall, and the vast majority of domains for which a country code can be correlated.


Predictably, given the total volume, Germany also ranks highest in established DMARC records at the default monitor only setting. As mentioned earlier, this could reflect a high number of domains that are automatically assigned DMARC records by registrars, even when a large percentage of those domains may never be used to send an email.

Data for the United States paints a different picture. While it ranks a distant second in the total number of country coded domains assigned DMARC records, it is number one in DMARC records with an established p=reject enforcement policy. According to industry studies, the United States is the most heavily-targeted nation by cybercriminals, which may help to explain this discrepancy.

Prominent Trends Across Top Companies

Our quarterly assessment of publicly available adoption data for the Fortune 500, Financial Times Stock Exchange 100 (FTSE 100), and Australian Securities Exchange 100 (ASX 100), highlighting trends among prominent organizations across geographies.

Fortune 500

The Fortune 500 is an annual list compiled and published by Fortune magazine that ranks 500 of the largest United States corporations by total revenue for their respective fiscal years. The list includes publicly held companies, along with privately held companies for which revenues are publicly available. It is a good indicator for how security is trending amongst large companies.

During the first quarter of the year, DMARC adoption remained tepid, with the largest corporations continuing to implement email authentication at a measured pace. Even for those that have assigned DMARC records to their domains, the sizeable proportion of “no record” and “monitor-only” policies dramatically increases the likelihood of the organization being impersonated in phishing campaigns targeting their customers and other consumers and businesses. But there has been progress.


DMARC Adoption – Just over 40% of the Fortune 500 with DMARC records assigned to domains have yet to publish an enforcement policy. Nonetheless, this is up nearly 5% from December 2018.

Quarantine Policy – Over 5% have implemented a quarantine policy to send phishing emails to the spam folder, in line with the previous quarter.

Reject Policy – Just over 1 in 10 have implemented a reject policy to block phishing attempts impersonating their brands. While relatively low, that’s up roughly 8% from December 2018.

FTSE 100

The Financial Times Stock Exchange 100 Index, more commonly known as the FTSE 100, is a share index of the top 100 companies listed on the London Stock Exchange (LSE). It is seen as the benchmark reference for those seeking an indication of the performance of major companies in the United Kingdom.

Just under half of the top 100 public companies in the UK do not have a DMARC record for their corporate domains. The lack of DMARC implementation means an organization’s customers, suppliers, and other consumers and businesses remain vulnerable to phishing and the losses associated with email scams bearing the organization’s name.


DMARC Adoption – During the first quarter of 2019, there was a 4% increase in the number of FTSE 100 companies publishing a DMARC policy. This marks the first quarter that more than half of all FTSE companies have domain records for their corporate domains.

Quarantine Policy – Only one percent have implemented a quarantine policy to send phishing attempts to spam. This percentage is unchanged from the previous quarter.

Reject Policy – Only 14 companies have implemented a reject policy to block phishing-based brand impersonations. That’s a 3% increase from the previous period.

ASX 100

The ASX 100 is Australia’s stock market index, representing its top 100 large and mid-cap securities.

It appears significant educational efforts are required to boost DMARC adoption in this region, which remains nearly unchanged from Q4 2018. Today, 55% of ASX 100 companies have yet to take the first step in adopting DMARC to combat the threat from brand impersonation attacks bearing their name.


DMARC Adoption – Despite a 1% increase during the last quarter, more than half of the ASX has yet to publish a DMARC policy, showcasing how few companies are thinking about email security.

Quarantine Policy – Two percent have implemented a quarantine policy—the same as the prior quarter.

Reject Policy – Only seven percent have implemented a reject policy, unchanged from Q4 2018.

Large Sector Analysis
DMARC Authentication by Vertical

As part of our quarterly analysis of DMARC adoption, we examine public DNS records for primary corporate and government website domains of large organizations with revenues above $1 billion.

This quarter, the US Government is hands down the leader in DMARC policy attainment across all major sectors, with 81% of domains attaining DMARC implementation at a p=reject enforcement policy. While most other sectors experienced negligible changes in adoption over the last quarter, the percentage of healthcare industry domains without a DMARC record dropped 3%.

However, most of these records appear to have been published without an enforcement policy, leaving the associated domains open to email-based impersonation scams targeting their customers and business partners.


Industry Enforcement Comparison
The Agari Advantage by Vertical

By looking at the data in the Agari Email Threat Center, we can take a look at how enforcement rates across industries compare with those of Agari customers.

Aggregating real-time DMARC statistics from the domains of top banks, social networks, healthcare providers, major government agencies, and thousands of other organizations, the Agari Email Threat Center is the largest set of detailed DMARC data in the world based both on email volume and domains. To generate real-time threat intelligence, the Agari Email Threat Center analyzed more than 537 billion emails from over 48,000 domains from January through March 2019.

Healthcare Takes the Lead

Segmenting by the same industry groupings presented in the previous section, we compare the respective enforcement levels for each vertical category with that of Agari customers. For the first time ever, healthcare has surpassed the government sector to rank highest among all in the percentage of domains at enforcement in our quarterly reports.


Note: The Threat Center tracks authentication statistics across active domains belonging to Agari’s customers. Passive or defensive domains that do not process an email will not be reflected in the totals. Overall, as indicated previously, the Agari reject rate across all industries in the global domain snapshot is 80%.

This is remarkable, as healthcare as a vertical moved from the lowest enforcement rate in the Threat Center in Q4 2017 to rank second by year-end 2018. By March 2019, it had surged past government, which had been the enforcement leader amongst Agari customers for some time.

Healthcare’s momentum is likely driven by the National Health ISAC, which issued a companion pledge for DMARC attainment to match that of the US Government’s Binding Operational Directive 18-01. BOD 18-01 was issued on October 2017 and has been the driving factor behind the sky-high adoption rates for executive branch agencies. Agari healthcare sector customers appear to have also attained that goal—and then some.

Brand Indicators Adoption
Up 60% as More Brands Realize Its Value

Brand Indicators for Message Identification (BIMI) is a standardized way for brands to publish their brand logo online with built-in protections that safeguard the brand, application providers, and consumers from impersonation attempts.

Groupon, Aetna, eBay, and Capital One are just some of the brands that use BIMI to display their logo next to their email messages— enhancing brand presence as well as providing assurance to recipients that the message is safe to open. BIMI will work only with an email that has been authenticated through the DMARC standard and for which the domain owner has specified a DMARC policy of enforcement, so only authenticated messages can be delivered.

Q2 BIMI Snapshot: A 60% Increase in Brand Adoption

As of March 2019, 130 brand logos use BIMI with their top level domains and any number of additional subdomains. This is up from 81 logos in January, making it a 60% increase in just ninety days. With a growing number of pilots underway, look for this figure to climb in the coming months. Because of its ability to help increase brand exposure and visibility even while protecting against brand impersonations, it may soon be considered “must-have” for brand email campaigns everywhere.


Close button
Mail Letter

Would you like the confidence to trust your inbox?