The Agari Cyber Intelligence Division analyzed trillions of emails and nearly 500 million Internet domains to uncover the scope and impact of this email fraud… and the trends that benchmark enterprise security teams’ ability to respond to email threats.

This report delivers data and key findings, including:

  • How the average dollar amount demanded in Vendor Email Compromise (VEC) attacks continue to increase.BEC Attack Type Assets
  • Why a deluge of phishing attacks has increased the urgency for security teams to respond effectively… even though nearly two-thirds of employee reports are false positives that exacerbate the SOC’s resource challenges.
  • Why a steady increase in DMARC and BIMI adoption is good news for brands and consumers… and which industry and geographic sectors continue to lag in adopting these key security controls.DMARC Enforcement Rates by Industry
Make sure you’re armed with this essential data and intelligence. Download the “Email Fraud & Identity Deception Trends” report today.


Customer Phishing and DMARC Trends

Key Findings
    • 5.85 Billion
      Malicious emails spoofing corporate and government email domains from July through December 2020, with those in Healthcare, Technology and Government impersonated most in phishing scams
    • 32%
      The percentage increase in global domains with an identifiable DMARC policy during the second half of 2020, a number that reached 10.7 million domains worldwide—up from 8.1 million during H1
    • 3 in 4
      Today, 76% of Fortune 500 companies remain vulnerable to getting impersonated in phishing scams targeting their customers, partners, investors, and the general public
    • 82%
      The increase in brand domains that have BIMI records, which reached 9,079 in the fourth quarter of 2020—up from just 4,983 in Q1 2020

DMARC Adoption Snapshot
The Industry’s Largest Ongoing Study of Adoption Trends Worldwide

In a snapshot of more than 426 million+ Internet domains, we analyze adoption trends for Domain-based Message Authentication, Reporting, and Conformance (DMARC) from July through December 2020.

10.7 Million
The Number of Domains With Recognizable DMARC Policies Worldwide—up 32% in Just Six Months

But don’t break out the champagne just yet. While this notable increase in the number of domains with an identifiable DMARC policy is encouraging, it still represents just a tiny fraction of the half-billion domains our researchers scanned worldwide.

3.8 Million
3,826,830 Domains Have DMARC Set to Its Highest Enforcement Level—an 87% Increase from H1 2020, But Woefully Low in Absolute Numbers

Failure to implement DMARC with the p=reject enforcement leaves organizations at risk from cybercriminals seeking to pirate their brand and domains to target phishing attacks at their customers and other consumers and businesses. These domains may also be blacklisted by receiver systems, or experience reduced deliverability rates for the brand’s legitimate email messages, resulting in costly disruptions to their email-based marketing and revenue streams. But when implemented properly, DMARC has been shown to reduce domain spoofing to near zero while boosting email conversion rates as much as 10%, according to Forrester Research.

DMARC Breakout Session
Germany Vaults Ahead in DMARC Set at Reject

As part of this report, ACID examines the state of DMARC adoption by key geographies during the second half of 2020. In any given period, a rising number of new domains can cause changes to the total percentage of domains with DMARC policies, as well as those with DMARC policies at full enforcement.

Germany Leapfrogs US & The Netherlands with DMARC Policies at Full Enforcement

Among the ten largest country-code domains, the United States racked up a 21% increase in the percentage of domains with DMARC policies set to the strictest possible enforcement level in just six months, helping it to outpace The Netherlands. But during the same period, Germany achieved a remarkable 38% increase in DMARC policies at full enforcement, the level needed to prevent domains from being used to send phishing attacks.

The Total Number of Countries with at Least 50% of Domains with DMARC Policies Set to Reject

Among all countries, just three have at least 50% of domains with DMARC policies set to their strictest enforcement level—Germany, Colombia, and the British Virgin Islands.

DMARC Adoption Trends Among the World’s Largest Companies

This report captures DMARC adoption trends among some of the world’s most prominent companies through the second half of 2020—including Germany’s HDAX, which joins the Fortune 500, FTSE 100 and the ASX 100 in our index for the first time. It’s important to note that even when organizations have assigned DMARC records to their domains, they are not truly protected unless they are set to a level of enforcement. The sizable proportion of “no record” and “monitor only” policies highlights the fact that these organizations can still be impersonated in phishing campaigns that put their customers and other consumers and businesses at risk of serious financial harm.

5.85 Billion
The Number of Malicious Emails Spoofing Domains During H2 2020

From July through December 2020, the number of malicious emails spoofing corporate or government domains topped 5.8 billion (or 2.28% of all email). That’s 32 million fraudulent emails impersonating the domains of well-known brands every day of the week, at a rate of 1.3 million per minute.

Fortune 500 Companies with DMARC Set at Full Enforcement to Prevent Domain Spoofing

That’s an increase of 20% from June 2020. Together with the 8% of DMARC-assigned domains with a p=quarantine policy, 32% of Fortune 500 domains with DMARC policies set with at least some level of protection rose 10% during the same period.

Fortune 500 Companies Remaining at Risk of Being Impersonated in Email Scams Targeting Customers, Partners & More

Maybe it got put on the back-burner because of everything else 2020 threw their way. Whatever the case, 76% of Fortune 500 companies lack the protection needed to prevent email threat actors from hijacking their domains and impersonating their brands in phishing attacks. Which may help explain why Gartner ranks DMARC implementation17 as a top priority for every organization in 2021.

1 in 4
FTSE 100 Companies Protect Against Brand Impersonation—a 25% Increase

The number of companies on the UK’s FTSE 100 with domains protected by DMARC set to p=reject grew to 25 during the second half of 2020—up from 20 at mid-year. While commendable, it still means that 75% of the FTSE 100 does not yet have protections in place to prevent threat actors from impersonating their brands in email attacks targeting customers, investors, and the general public.

Number of Australia’s ASX 100 Companies That Continue to Put Customers at Risk

Amid a push to increase the number of Australian government domains protected by DMARC18, the private sector is still struggling with deployment, even as the total number of domains in use continues to rise. Today, just 14% of ASX 100 companies have DMARC policies set to full enforcement—leaving 85% at risk of email threat actors pirating their domains for use in phishing attacks.

HDAX Companies With DMARC Policies Set to Full Enforcement

A sustained onslaught of BEC and phishing campaigns were implicated in attacks that have cost the German government19 and businesses20 tens of millions of euros in 2020—and even led to loss of life21. These dramatic wake-up calls were likely a factor in that country’s spike in domains with DMARC policies set at reject, noted earlier. But for the large companies within the HDAX stock index, deployment across a very large number of domains can be costly and time consuming. As a result, just 9% of the 110 companies in the index have domains with DMARC policies at full enforcement, and another 8% at quarantine. That leaves 91% of HDAX companies with domains at risk of abuse by fraudsters.

DMARC Adoption by Industry Vertical

Data in our H1 2021 report includes DMARC adoption across key industry verticals and is based on public DNS records for primary corporate website domains of large companies with revenues above $1 billion USD. Every vertical has shown incremental improvements in the percentage of their DMARC-enabled domains at p=reject since our last report.

Tech, Healthcare & Government Most Impersonated in Phishing Attacks

Putting a fine point on the need for DMARC protection: During the second half of 2020, organizations in technology, healthcare, and government were impersonated most in phishing attacks leveraging unprotected email domains. None of which is surprising, given the ongoing COVID-19 pandemic and the resulting 57% of corporate employees working from home. Ever the opportunists, fraudsters also sought to exploit unprotected domains for attacks related to US political crises—leading to a noticeable spike in spoofed domains leading up to the November presidential elections through the first several days of 2021.

The Agari Advantage
Industry Enforcement Comparison

With real-time statistics from the domains of top banks, social networks, healthcare providers, major government agencies and thousands of other organizations, the Agari Email Threat Center is the largest set of detailed DMARC data in the world both in terms of email volume and domains. This data enables us to understand how enforcement rates across industries compare with those of Agari customers. To generate real-time threat intelligence, the Agari Email Threat Center analyzed more than 257.9 billion emails from more than 20,727 domains from July through December 2020.

Agari Healthcare Industry Customers with Domains at Full DMARC Enforcement vs. the Industry Average

Take the worst pandemic in modern history. Add fear, confusion, and unprotected email domains and mix. From phishing campaigns impersonating Vanderbilt University Medical Center to the Centers for Disease Control (CDC) to Health and Human Services (HHS) and other healthcare authorities, Agari customers in the sector had ample reason to beef up DMARC implementation efforts. As of December 2020, 84% of Agari healthcare customers’ domains are set at a p=reject enforcement level. That’s 6X the industry average of only 14% of domains protected with DMARC at its highest enforcement level.

Brand Indicators Adoption
BIMI is Officially Trending as Adoption Skyrockets

Brand Indicators for Message Identification (BIMI) benefits the entire email ecosystem by providing businesses with a standardized method for publishing their brand logos next to their email messages within a recipient ‘s inbox, with built-in protections against brand spoofing. At a time when email’s role as the indispensable digital channel has never been more critical to marketers, the launch of Google’s high-profile BIMI pilot provided additional rocket fuel for this rapidly growing standard.

The Total Number of Brand Domains with BIMI Records as of December 31, 2020

BIMI only works with email that has been authenticated through the DMARC standard for which the domain owner has specified a DMARC policy enforcement, so only authenticated email messages can be delivered. DMARC has been shown to boost deliverability rates. BIMI adds a verified logo indicating the email is legitimate and comes from an authentic domain from the brand. Though it will take time for BIMI to gain additional mindshare and trust, early tests show it has already been shown to boost open rates by as much as 10%22.

Increase in Brand BIMI Adoption in Just 6 Months

During the second half of 2020, BIMI adoption grew 72% from just 5,282 in H1. One significant contributing factor: the July launch of Google’s BIMI pilot, which allowed a select group of organizations who authenticate their emails using DMARC to validate ownership of their corporate logos and securely use them in email messages. Once these authenticated emails pass Google’s anti-abuse checks, Gmail displays the logo in existing avatar slots within the Gmail interface. Google and other inbox providers are expected to expand their BIMI pilots to more brands in 2021.

Protecting Against Advanced Email Threats
Through the Power of Trusted Email Identity™

As the financial and reputational damage from phishing, BEC, and other advanced email threats continue to mount, Agari has become the market leader in protecting brands and people from devastating phishing and socially-engineered attacks through solutions that include:

      • Agari Phishing Defense™ prevents email threats from reaching employee inboxes by scoring every message flowing into and within the organization to defend against low-volume, highly-targeted identity deception-based attacks.
      • Agari Phishing Response™ prioritizes reported incidents, automating investigative analysis and triage, to elevate the most suspicious emails to the top of the list. Then, it reduces manual efforts with remediation workflows to accelerate time-to-containment.
      • Agari Brand Protection™ protects your customers from costly phishing attacks by automating and simplifying DMARC email authentication and enforcement, preserving brand identity, and boosting digital engagement.
      • Agari Active Defense™ BEC Threat Intelligence Service uses automated active engagement to uncover criminals’ tactics and techniques and deliver highly focused, actionable intel about specific phishing and BEC threats targeting your organization.

Leveraging applied data science and a diverse set of signals, Agari protects the workforce from inbound BEC scams, supply chain fraud, spear-phishing, and account-takeover-based attacks—reducing business risk and restoring trust to the inbox. Agari also prevents spoofing of outbound email from the enterprise to customers, increasing deliverability and preserving brand integrity and reputation. Learn more at

About This Report

Taxonomy of Advanced Email Threats

ACID has established a classification system for cyber threats—a threat taxonomy—that breaks down common email-based attacks in terms of how they are carried out and what the perpetrators aim to achieve. This taxonomy helps readers understand the terms used in this report and what they mean to email security.

The metrics and data analyzed in this report are collected from the sources indicated below.

Aggregate Advanced Email Attack Data

For inbound threat protection, Agari uses machine learning—combined with knowledge of an organization’s email environmen —to model good, legitimate traffic. Each message received by Agari is scored and plotted in terms of email senders’ and recipients’ identity characteristics, expected behavior, and personal, organizational, and industry-level relationships. For the attack categorization analysis, we leveraged anonymous aggregate scoring data that automatically breaks out identity deception-based attacks that bypass upstream Secure Email Gateways (SEGs) into distinct threat categories, such as display name deception, compromised accounts, and more. See section on “Taxonomy of Advanced Email Attacks” on the preceding page.

Phishing Incident Response Trends

This report presents results from a survey of large organizations in a cross-section of industries conducted by Agari in December 2020.

Global DMARC Domain Analysis

For broader insight into DMARC policies beyond what we observed in email traffic targeting Agari’s customer base, we analyzed 426 million domains, ultimately observing 10,744,092 domains with recognizable DMARC policies attached. This constantly updated list of domains serves as the basis for trend tracking in subsequent reports.

Close button
Mail Letter

Would you like the confidence to trust your inbox?