In a snapshot of more than 477+ million Internet domains, we assess adoption trends for Domain-based Message Authentication, Reporting, and Conformance (DMARC) from January through June 2020.
At Mid-Year, 8,074,377 Domains Possessed Recognizable DMARC Policies Worldwide
Just 2,041,442 Domains Have DMARC Set to Its Highest Enforcement Level
Failure to implement DMARC with the p=reject enforcement leaves organizations at risk from cybercriminals seeking to pirate their brand and domains to target phishing attacks at their customers and other consumers and businesses. These domains may also be blacklisted by receiver systems, or experience reduced deliverability rates for the brand’s legitimate email messages, resulting in costly disruptions to their email-based marketing and revenue streams.
As part of this mid-year report, ACID examines the state of DMARC adoption by key geographies. Across the board, rising numbers of new domains are causing slippage in the total percentage of domains with DMARC policies, as well as those with DMARC policies at full enforcement.
The Netherlands Tops in DMARC Policies Set to p=reject
The US continued to dominate in the total number of domains with DMARC policies set to the strictest possible enforcement level. But on a percentage basis, the Netherlands leads the pack, even after seeing a drop year-over-year relative fto total domains registered there.
Percentage Increase in Canadian Domains with DMARC policies at Enforcement Jumps 12%
As of June 30, Canada has seen the sharpest rise in domains with DMARC policies set to p=reject so far this year, though Germany saw significant gains, as well. Meanwhile, the US saw only tepid increases on a percentage basis.
This mid-year report captures DMARC adoption trends among some of the world’s most prominent companies. It’s important to note that even when organizations have assigned DMARC records to their domains, they are not truly protected unless they are set to a level of enforcement. The sizable proportion of “no record” and “monitor only” policies highlights the fact that these organizations can still be impersonated in phishing campaigns that put their customers, partners, investors, and the general public at risk of serious financial harm.
Fortune 500 Companies with DMARC Records Set at Full Enforcement—Up 66% YoY
Fortune 500 Companies Remaining at Risk of Being Impersonated in Email Scams Targeting Their Customers, Partners, and More
FTSE 100 Companies That Continue to Put Customers at Risk
During the first half of 2020, only 20% of the UK’s FTSE 100 had domains protected by DMARC set to p=reject— up just 2% in the last six months. As of mid-year, 80% of organizations in the FTSE 100 do not yet have protections in place to block fraudsters from impersonating their brands in email attacks.
Number of Australia’s ASX 100 Companies Now Protected from Brand Impersonation
The number of Australia’s ASX 100 companies with DMARC deployed at its top enforcement level grew by 5% over the last six months, and is up 87.5% YoY. But that means 9 in 10 ASX 100 organizations remain defenseless against crime rings seeking to hijack their brands and email domains.
Data in our H2 2020 report includes DMARC adoption across key industry verticals is based on public DNS records for primary corporate website domains of large companies with revenues above $1 billion. Every vertical has shown incremental improvements in the percentage of their DMARC-enabled domains at p=reject since our last report.
Data in the Agari Email Threat Center enables us to understand how enforcement rates across industries compare with those of Agari customers. Aggregating
real-time DMARC statistics from the domains of top banks, social networks, healthcare providers, major government agencies and thousands of other organizations, the Agari Email Threat Center is the largest set of detailed DMARC data in the world both in terms of email volume and domains. To generate realtime threat intelligence, the Agari Email Threat Center analyzed more than 233 billion emails from more than 25,017 domains from January through June 2020
Increase in Agari Healthcare Industry Customers with Domains at Full Enforcement
Amid a dramatic surge in phishing campaigns impersonating the Centers for Disease Control (CDC), Vanderbilt University Medical Center, Magellan Health, and
other healthcare authorities, Agari customers in the sector redoubled their DMARC implementation efforts, climbing to 78% of domains at p=reject enforcement,
compared to 68% at the end of 2019—a 10% jump in six months.
Brand Indicators for Message Identification (BIMI) benefits the entire email ecosystem by providing businesses with a standardized method for publishing their brand logos next to email messages within a recipient ‘s inbox, with built-in protections against brand spoofing.
The Total Number of Brand Domains with BIMI Records as of June 30
BIMI only works with email that has been authenticated through the DMARC standard and for which the domain owner has specified a DMARC policy of enforcement, so only authenticated messages can be delivered.
Increase in Brand BIMI Adoption In the Last 90 Days
In July, Google officially launched its BIMI pilot, which allows organizations who authenticate their emails using DMARC to validate ownership of their corporate logos and securely use them in email messages. Once these authenticated emails pass Google’s anti-abuse checks, Gmail will start displaying the logo in existing avatar slots in the Gmail interface.
ACID has established a classification system for cyber threats—a threat taxonomy—that breaks down common email- based attacks in terms of how they are carried out and what the perpetrators aim to achieve. This taxonomy helps readers understand the terms used in this report and what they mean to email security.
The metrics and data analyzed in this report are collected from the sources indicated below.
For inbound threat protection, Agari uses machine learning—combined with knowledge of an organization’s email environment—to model good, legitimate traffic. Each message received by Agari is scored and plotted in terms of email senders’ and recipients’ identity characteristics, expected behavior, and personal, organizational, and industry-level relationships. For the attack categorization analysis, we leveraged anonymous aggregate scoring data that automatically breaks out identity deception-based attacks that bypass upstream Secure Email Gateways (SEGs) into distinct threat categories, such as display name deception, compromised accounts, and more. See section on “Taxonomy of Advanced Email Attacks” on the preceding page.
This report presents results from a survey of six large organizations in a cross-section of industries conducted by Agari in June 2020.
For broader insight into DMARC policies beyond what we observed in email traffic targeting the Agari customer base, we analyzed 477 million+ domains, ultimately observing 8,074,377 domains with recognizable DMARC policies attached. This constantly updated list of domains serves as the basis for trend tracking in subsequent reports.