• by Ray Schultz , Columnist, February 1, 2019

The federal government may not excel at all things, but it is leading the way in protecting itself from email impersonation, according to Email Fraud Landscape 2018, a study by Valimail. 

Valimail found that 80% of all U.S. federal domains have published a DMARC record, up from 50% in the prior year.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is considered the top protection standard.

In addition, 87% of those agencies have configured it to enforcement — a strong barometer of success. “Publishing a DMARC record is one thing, but configuring it correctly and completely is another,” the study notes.

Not that federal domains have a choice — the Department of Homeland Security required them to adopt DMARC by last October. 

Companies are lagging behind the government, but are still making strides. For example, 50% of all Fortune 500 and large U.S. tech companies have adopted DMARC, versus 28% in 2017 — a “particularly dramatic rise,” Valimail says. And 37% have achieved DMARC enforcement.

In addition, 30% of large U.S. banks have reached the enforcement level, along with 36% of Crunchbase unicoms. Healthcare companies have a 37% adoption rate and a 30% enforcement configuration rate. 

Overall, however, only 20% of companies configure DMARC for enforcement, leaving 80% unprotected from impersonation. And that failure rate has remained steady for three quarters.

Why is this important? Because losses due to business email compromise attacks alone have exceeded $12 billion since 2013, according to FBI statistics.

“Fake emails — primarily email impersonation phishing attempts — continue to proliferate because, unfortunately, they work and are childishly easy to deploy,” states Alexander García-Tobar, CEO and co-founder of Valimail. “Executives, employees, and clients continue to click, send confidential information, share IP, and make bank transfers to the bad guys — all because of a lack of basic authentication. 

He adds, however, that those attacks are preventable.

“We urge all domain owners and security  leaders to adopt these standards and configure them correctly and completely, as quickly as possible, to ensure their own employees cannot be spoofed by cybercriminals,” García-Tobar says.

Valimail regularly monitors the public Domain Name System (DNS) for the published email authentication status of nearly 17 million domains. We use this dataset to assemble aggregate analyses of the DMARC and SPF postures of various industries.

For this report, Valimail studied a dataset from its regular monitoring of the public Comain Name System for the email authentication status of almost 17 million domains.