• by Ray Schultz , Columnist, August 7, 2018

There has been much talk about DMARC, and how it is essential to cyber security. But few firms have adopted it, judging by Multi-Industry DMARC, a study released on Tuesday by 250ok.  

In the EU, 84.4% of e-tailers have no DMARC in place, while tiny percentages have quarantine and reject policies — described as best practices in the report written by Mathew Vernhout, director of privacy for 250ok.

The U.S. is almost identical — 81.1% of e-tailers have no DMARC. They are vulnerable to hijacking of their brands, and lesser response to their email marketing as consumers react to the threat.

However, those numbers pall when you look to China — where of the top 100 Chinese brands, 95.4% lack DMARC, putting them at risk of phishing attacks.

250ok examined 17,000 domains in several industries, relying on publicly available authentication information.

Next to China, the highest non-adoption rates are in the non-profit sector (93.5%) and colleges and universities (90.2%), with minor variances between countries.

In the non-profit sector, for instance, the U.S. has a higher rate of DMARC absence — 94.2% compared to 92.7% for the UK. 

Nonprofits can perhaps be forgiven, considering their tight budgets, and the same is true of colleges and universities which have an overall 90.2% rate of DMARC adoption.

The U.S. percentage is slightly better at 88.8%, compared to 91.4% for the EU and 90.3% for Canada.

Who is doing it right? SaaS 1000 firms — only 65% have not adopted DMARC. Granted, that’s still a high number. And of the remainder, 25% employ the most DMARC basic standard: p=none, rated as good but not great.

But that’s better than nothing —  p=none “allows for a domain owner to understand where their legitimate email messages are originating from and be aware in the case of spoofing or phishing of their brands.,” the study states.

Law firms, perhaps they are also attuned to the risks, do even better — only 62% have failed to apply DMARC. A third utilize p=none,

Is DMARC being overhyped? Not according to 250ok.

“In the months since US Department of Homeland Security mandated that all federal agencies should achieve a DMARC Reject Policy on all domains, we expected enterprises and NGOs to take the same steps to protect consumers,” states Vernhout.

He adds: “By failing to implement DMARC, negligent brands worldwide are putting themselves and their customers directly in harm’s way.”