By the end of March, ACID identified 6.75 million domains with valid DMARC records, up roughly 1% quarter-over-quarter.
Germany is the #1 region responsible for raw domains with DMARC records, though the United States took the top prize for the percentage of domains at a reject policy.
Only 25% of domains are configured to send an email, with DMARC settings on the vast majority set to monitor-only.
DMARC gives brands control over who is allowed to send emails on their behalf. It enables email receiver systems to recognize when an email isn’t coming from a specific brand’s approved domains and gives the brand the ability to tell the email receiver systems what to do with those unauthenticated email messages.
Failing to implement DMARC at p=reject results in an easily identifiable vulnerability. Cybercriminals often spoof domains in order to send large volumes of phishing attacks targeting the domain owner’s customers and partners. The ripple effect can be significant. The domain may suffer reputational damage, resulting in being blacklisted by some receiver infrastructures, or experience reduced deliverability rates for legitimate email, hurting email-based revenue streams. The effects may first show up in complaints that outgoing emails aren’t reaching recipients, often bouncing or being filtered by spam filters.
For more information on DMARC and the benefits of adoption, visit agari.com/dmarc-guide
Brands looking to deploy DMARC are advised to start with DMARC p=none and work up to p=reject through a well-defined DMARC implementation plan. When enforcement policies are set properly, DMARC has been shown to drive down phishing rates impersonating brands to near zero.
By crawling the entire public Internet domain space representing over 328 million domains, ACID was able to generate its latest snapshot of DMARC implementation rates worldwide from January through March 2019. Overall, there was continued growth in the DMARC adoption rate, but at a much slower pace than the previous quarter.
As a shorthand to determining a market share figure, we tabulated the number of times specific, well-known DMARC implementation vendors were specified as a recipient of reporting feedback via DMARC. The “rua” field that accepts an email address to receive aggregate DMARC data reports is a good proxy for this calculation. With this email address, the DMARC vendor typically accepts, parses, and visualizes the data on behalf of the customer. We included active vendors with more than 1,000 domains reported.
The chart below provides a basic ranking of top vendors, corresponding to the number of domains that specify that particular vendor in the “rua” field. We then apply a second filter indicating the all-important percentage of domains at the highest possible DMARC enforcement policy setting of p=reject for each vendor, which is the policy level that will block phishing messages.
Quarter-over-quarter, there was some movement in overall vendor rankings, with slight improvements for some second tier vendors in terms of the total percentage of domains with DMARC set at its top enforcement level.
THE SWEET SPOT: Category-leading vendors achieve that perfect combination of a large number of domains serviced across a wide range of industries matched with high levels of top enforcement policy implementation. Finding a company that has high marks in both is essential for those organizations looking to see success with DMARC implementation.
HIGHER QUANTITIES CAN SEE LOWER ENFORCEMENT: The “Goldilocks” ratio can be harder to achieve for mid-tier vendors, which tend to struggle with the ratio of domains they service and what percentage of those records they succeed at converting to the highest enforcement policies. Category leaders with high numbers of enterprise clients can face this challenge as well, as it is harder to have more enterprise domains set to reject.
QUALITY VARIES WILDLY: About 315,000 of the domains that deployed DMARC are using a recognized DMARC provider, and about 6 million domains have DMARC deployed without using a major DMARC service provider. When selecting a vendor, enterprises with hundreds or thousands of domains should consider vendors that have both high numbers of domains and a high-percentage enforcement rate in order to better ensure success.
According to our analysis, Germany leads all survey geographies in registered domains with established DMARC records, accounting for nearly a sixth of the world’s DMARC records overall, and the vast majority of domains for which a country code can be correlated.
Predictably, given the total volume, Germany also ranks highest in established DMARC records at the default monitor only setting. As mentioned earlier, this could reflect a high number of domains that are automatically assigned DMARC records by registrars, even when a large percentage of those domains may never be used to send an email.
Data for the United States paints a different picture. While it ranks a distant second in the total number of country coded domains assigned DMARC records, it is number one in DMARC records with an established p=reject enforcement policy. According to industry studies, the United States is the most heavily-targeted nation by cybercriminals, which may help to explain this discrepancy.
The Fortune 500 is an annual list compiled and published by Fortune magazine that ranks 500 of the largest United States corporations by total revenue for their respective fiscal years. The list includes publicly held companies, along with privately held companies for which revenues are publicly available. It is a good indicator for how security is trending amongst large companies.
During the first quarter of the year, DMARC adoption remained tepid, with the largest corporations continuing to implement email authentication at a measured pace. Even for those that have assigned DMARC records to their domains, the sizeable proportion of “no record” and “monitor-only” policies dramatically increases the likelihood of the organization being impersonated in phishing campaigns targeting their customers and other consumers and businesses. But there has been progress.
DMARC Adoption – Just over 40% of the Fortune 500 with DMARC records assigned to domains have yet to publish an enforcement policy. Nonetheless, this is up nearly 5% from December 2018.
Quarantine Policy – Over 5% have implemented a quarantine policy to send phishing emails to the spam folder, in line with the previous quarter.
Reject Policy – Just over 1 in 10 have implemented a reject policy to block phishing attempts impersonating their brands. While relatively low, that’s up roughly 8% from December 2018.
The Financial Times Stock Exchange 100 Index, more commonly known as the FTSE 100, is a share index of the top 100 companies listed on the London Stock Exchange (LSE). It is seen as the benchmark reference for those seeking an indication of the performance of major companies in the United Kingdom.
Just under half of the top 100 public companies in the UK do not have a DMARC record for their corporate domains. The lack of DMARC implementation means an organization’s customers, suppliers, and other consumers and businesses remain vulnerable to phishing and the losses associated with email scams bearing the organization’s name.
DMARC Adoption – During the first quarter of 2019, there was a 4% increase in the number of FTSE 100 companies publishing a DMARC policy. This marks the first quarter that more than half of all FTSE companies have domain records for their corporate domains.
Quarantine Policy – Only one percent have implemented a quarantine policy to send phishing attempts to spam. This percentage is unchanged from the previous quarter.
Reject Policy – Only 14 companies have implemented a reject policy to block phishing-based brand impersonations. That’s a 3% increase from the previous period.
The ASX 100 is Australia’s stock market index, representing its top 100 large and mid-cap securities.
It appears significant educational efforts are required to boost DMARC adoption in this region, which remains nearly unchanged from Q4 2018. Today, 55% of ASX 100 companies have yet to take the first step in adopting DMARC to combat the threat from brand impersonation attacks bearing their name.
DMARC Adoption – Despite a 1% increase during the last quarter, more than half of the ASX has yet to publish a DMARC policy, showcasing how few companies are thinking about email security.
Quarantine Policy – Two percent have implemented a quarantine policy—the same as the prior quarter.
Reject Policy – Only seven percent have implemented a reject policy, unchanged from Q4 2018.
This quarter, the US Government is hands down the leader in DMARC policy attainment across all major sectors, with 81% of domains attaining DMARC implementation at a p=reject enforcement policy. While most other sectors experienced negligible changes in adoption over the last quarter, the percentage of healthcare industry domains without a DMARC record dropped 3%.
However, most of these records appear to have been published without an enforcement policy, leaving the associated domains open to email-based impersonation scams targeting their customers and business partners.
Aggregating real-time DMARC statistics from the domains of top banks, social networks, healthcare providers, major government agencies, and thousands of other organizations, the Agari Email Threat Center is the largest set of detailed DMARC data in the world based both on email volume and domains. To generate real-time threat intelligence, the Agari Email Threat Center analyzed more than 537 billion emails from over 48,000 domains from January through March 2019.
Segmenting by the same industry groupings presented in the previous section, we compare the respective enforcement levels for each vertical category with that of Agari customers. For the first time ever, healthcare has surpassed the government sector to rank highest among all in the percentage of domains at enforcement in our quarterly reports.
Note: The Threat Center tracks authentication statistics across active domains belonging to Agari’s customers. Passive or defensive domains that do not process an email will not be reflected in the totals. Overall, as indicated previously, the Agari reject rate across all industries in the global domain snapshot is 80%.
This is remarkable, as healthcare as a vertical moved from the lowest enforcement rate in the Threat Center in Q4 2017 to rank second by year-end 2018. By March 2019, it had surged past government, which had been the enforcement leader amongst Agari customers for some time.
Healthcare’s momentum is likely driven by the National Health ISAC, which issued a companion pledge for DMARC attainment to match that of the US Government’s Binding Operational Directive 18-01. BOD 18-01 was issued on October 2017 and has been the driving factor behind the sky-high adoption rates for executive branch agencies. Agari healthcare sector customers appear to have also attained that goal—and then some.
Groupon, Aetna, eBay, and Capital One are just some of the brands that use BIMI to display their logo next to their email messages— enhancing brand presence as well as providing assurance to recipients that the message is safe to open. BIMI will work only with an email that has been authenticated through the DMARC standard and for which the domain owner has specified a DMARC policy of enforcement, so only authenticated messages can be delivered.
As of March 2019, 130 brand logos use BIMI with their top level domains and any number of additional subdomains. This is up from 81 logos in January, making it a 60% increase in just ninety days. With a growing number of pilots underway, look for this figure to climb in the coming months. Because of its ability to help increase brand exposure and visibility even while protecting against brand impersonations, it may soon be considered “must-have” for brand email campaigns everywhere.