In a solid improvement, there is 13% growth in raw DMARC policies observed, up from a tepid 1% growth in the previous quarter.
The government sector retains its top position in percentage of organizations with email authentication as 81% of domains are at a p=reject policy.
BIMI gains popularity with 511 domains with an associated record, reflecting a 393% increase since last quarter’s measurement.
DMARC gives brands control over who is allowed to send emails on their behalf. It enables email receiver systems to recognize when an email isn’t coming from a specific brand’s approved domains, and gives the brand the ability to tell the email receiver system what to do with those unauthenticated email messages.
Failing to implement DMARC at p=reject results in an easily identifiable vulnerability. Cybercriminals often spoof legitimate domains in order to send large volumes of phishing attacks targeting the domain owner’s customers and partners. The ripple effect can be significant. The domain may suffer reputational damage, resulting in being blacklisted by some receiver infrastructures, or experience reduced deliverability rates for legitimate email, hurting email-based revenue streams. The effects may first show up in complaints that outgoing emails aren’t reaching recipients, often bouncing or being filtered by spam filters.
For more information about DMARC adoption and its benefits, visit www.agari.com/dmarc-guide
Brands looking to deploy DMARC are advised to start with a p=none policy and work up to the p=reject policy through a well-defined DMARC implementation plan. When enforcement policies are set properly, DMARC has been shown to drive down phishing rates impersonating brands to near zero.
By crawling the entire public Internet domain space representing over 328 million domains, ACID was able to generate its latest snapshot of DMARC implementation rates worldwide from April through June 2019. Overall, there was 13% growth in the DMARC adoption rate, compared to just 1% growth in the previous quarter.
As a shorthand to determining a market share figure, we tabulated the number of times specific, well-known DMARC implementation vendors were specified as a recipient of reporting feedback via DMARC. The “rua” field that accepts an email address to receive aggregate DMARC data reports is a good proxy for this calculation. With this email address, the DMARC vendor typically accepts, parses, and visualizes the data on behalf of the customer. We included active vendors with more than 1,000 domains reported.
The chart shown on the next page provides a basic ranking of top vendors, corresponding to the number of domains that specify that particular vendor in the “rua” field. We then apply a second filter indicating the all-important percentage of domains at the highest possible DMARC enforcement policy setting of p=reject for each vendor, which is the policy level that will block phishing messages from ever reaching the end use
THE SWEET SPOT: Category-leading vendors achieve that perfect combination of a large number of domains serviced across a wide range of industries matched with high levels of top enforcement policy implementation. Finding a company that has high marks in both is essential for those organizations looking to see success with DMARC implementation.
HIGHER QUANTITIES CAN SEE LOWER ENFORCEMENT: The “Goldilocks” ratio can be harder to achieve for mid-tier vendors, which tend to struggle with the ratio of domains they service and what percentage of those records they succeed at converting to the highest enforcement policies. Category leaders with high numbers of enterprise clients can face this challenge as well, as it is harder to have more enterprise domains set to reject.
QUALITY VARIES WILDLY: Less than 1% of the domains that deployed DMARC are using a recognized DMARC provider, and about 6 million domains have DMARC deployed without using a major DMARC service provider. When selecting a vendor, enterprises with hundreds or thousands of domains should consider vendors that have both high numbers of domains and a high-percentage enforcement rate in order to better ensure success.
Consistent with our last report, Germany leads all geographies in registered domains with established DMARC records, and the vast majority of domains for which a country code can be correlated. However, most DMARC records here are at the default, monitor-only setting. By contrast, while the United States lags Germany in country-coded domains assigned DMARC records, it ranks first in the number of DMARC records with established p=reject domains.
Reasons for the disparity are unclear. But one possibility is that registrars in Germany may assign DMARC records as a default as an added feature for customers acquiring domains.
According to MediaPost, suspicious emails make up only 0.2% of the total email volume sent within the US, while 76% of all emails sent within Germany are considered suspect. It’s possible that a domain-with-DMARC record bundle from registrars is attractive to customers hoping to move quickly on securing new email domains.
Our quarterly assessment of publicly available adoption data for the Fortune 500, Financial Times Stock Exchange 100 (FTSE 100), and Australian Securities Exchange 100 (ASX 100) highlights trends among prominent organizations across geographies.
The charts on the next few pages offer a snapshot of DMARC adoption trends among some of the world’s most prominent corporations. It’s important to note that even companies that have assigned DMARC records to their domains are not truly protected unless they are set to the highest level of enforcement. The sizable proportion of “no record” and “monitor only” policies showcases that these organizations can still be impersonated in phishing campaigns that put their customers, investors, and the general public at risk of serious financial harm.
The charts capture:
ADOPTION: The percentage of organizations with DMARC policies verses those without any DMARC record.
MONITOR: Domains possessing DMARC record with a monitor-only policy, which allows organizations to see who is sending emails on your behalf, but does nothing to block those emails from hitting end user inboxes.
QUARANTINE: Domains possessing DMARC records with a quarantine policy that sends phishing emails to the spam folder.
REJECT: Domains possessing DMARC records with the reject policy needed to block phishing attempts impersonating their brands.
The Fortune 500 is an annual list compiled and published by Fortune magazine that ranks 500 of the largest United States corporations by total revenue for their respective fiscal years. The list includes publicly held companies, along with privately held companies for which revenues are publicly available. It is a good indicator for how security is trending among large companies.
Just under 40% of the Fortune 500 have no DMARC records at all assigned to their domains, while 44% of those that do have yet to set a policy.
It’s worth noting, however, that Fortune 500 companies with an established policy does continue to grow, albeit at a glacial pace.
Currently, only 12% of the Fortune 500 is completely protected against phishing-based brand impersonation attacks that put their customers, the public, and their investors at risk.
The percentage of companies with a quarantine policy, which sends phishing emails to the spam folder rather than the inbox, has stayed the same over the previous quarter.
The Financial Times Stock Exchange 100 Index, more commonly known as the FTSE 100, is a share index of the top 100 companies listed on the London Stock Exchange. It is seen as the benchmark reference for those seeking an indication on the performance of major companies in the United Kingdom.
The FTSE moved fast during the second quarter, with sixteen companies now fully protected by email authentication—an increase of two over the previous quarter.
Meanwhile, 83% of companies on the exchange remain unprotected against email-based brand impersonation—down from 94% two years ago.
DMARC adoption in the FTSE 100 is improving, but more needs to be done, and much faster, to ensure business’s brand identities are not being used in attacks against consumers, partners, and other organizations
The ASX 100 is Australia’s stock market index, representing its top 100 large and mid-cap securities. And today, just eight of those companies has implemented DMARC with the reject policy needed to block fraudsters from impersonating their brands.
Over half of companies here have yet to take the first step in protecting their brand identities from being pirated in email attacks targeting customers—showcasing how few Australian organizations are thinking about email security.
One point of hope is that one additional company moved to a reject policy this quarter for the first time in three quarters.
Our quarterly analysis of DMARC adoption is based on public DNS records for primary corporate and government website domains of large organizations with revenues above $1 billion.
The US government remains the hands down the leader in DMARC policy attainment across all major sectors this past quarter, with 81% of domains attaining DMARC implementation at a p=reject enforcement policy. But it’s worth noting that progress was seen across all sectors, with the percentage of domains without DMARC records dropping between 3-5% depending on the industry vertical.
While the percentage of DMARC records without policies bumped up, likely due to increased numbers of domains overall, so did the percentage of DMARC implementations at a p=reject enforcement policy. Excluding government’s already high enforcement levels, all industry verticals in the index saw increases in p=reject enforcement policies of between one-half to 1%, with healthcare leading the way.
Data in the Agari Email Threat Center enables us to understand how enforcement rates across industries compare with those of Agari customers.
Aggregating real-time DMARC statistics from the domains of top banks, social networks, healthcare providers, major government agencies, and thousands of other organizations, the Agari Email Threat Center is the largest set of detailed DMARC data in the world based both on email volume and domains. To generate real-time threat intelligence, the Agari Email Threat Center analyzed more than 350 billion emails from over 20,500 domains from April through June 2019.
Segmenting by the same industry groupings presented in the previous section, we compare the respective enforcement levels for each vertical category with that of Agari customers.
During the second quarter of 2019, Retail leapfrogged last quarter’s leader, Healthcare. But both were surpassed by Government, which reclaimed the first spot in the percentage of domains at enforcement.
Healthcare’s gains have been driven by the National Health ISAC, which issued a companion pledge for DMARC attainment to match the US Government’s Binding Operational Directive 18-01. First issued in October 2017, BOD 18-01 has helped propel Government to record high DMARC implementations at full p=reject enforcement.
But the gains achieved by Agari’s Retail sector clients is eye-popping in its own right—increasing DMARC records set to the top enforcement level by 8% in just ninety days. As retailers expand the number of online channels from which they market merchandise, cybercriminals have been increasingly targeting the sector. And with the end of summer and the all-important 2019 holiday shopping season coming fast, it’s clear retailers want to be ready for whatever fraudsters throw their way.
Brands such as Groupon, Air Canada, eBay, and Capital One are just a handful of the household names that use BIMI to display their logo next to their email messages—enhancing brand presence as well as the ability for brands to control the logo that is displayed. BIMI will work only with email that has been authenticated through the DMARC standard and for which the domain owner has specified a DMARC policy of enforcement, so only authenticated messages can be delivered.
As of June, 511 domains added BIMI records alongside their top level domains, and any number of additional subdomains. This is up from 130 logos in March, making for a 393% increase in just twelve weeks, showcasing the growing importance of this standard.
It’s worth noting that smaller brands seeking to leverage the tremendous brand presence BIMI affords their logos by displaying them prominently within email clients, make up a significant portion of the adoption increases. Look for this to precipitate faster growth among major brands aiming to avoid being outpaced by challenger brands, especially as Google has announced a BIMI pilot program beginning in early 2020.
Because of its ability to help increase brand exposure and visibility even while protecting against brand impersonations, it may soon be considered a “must-have” for brand email campaigns everywhere.