• by Ray Schultz , March 4, 2020

It might seem counterintuitive. But there is good news on the phishing front.

Email spoofing via exact-domain impersonation has fallen to 1% of all of the email volume authenticated by Valimail, according to a study by that email security firm Valimail. It accounted for 2.3% in the first half of 2018 and 5% in 2017.

In addition, more companies are deploying DMARC (Domain-based Message Authentication, Reporting, and Conformance — 933,973 domains now have DMARC records, with 70% growth in the past year and 180% over two years.

However, only 13% of all DMARC records are at the enforcement level. And while almost 52% of publicly traded, billion-dollar companies have DMARC, only 23% are at the enforcement level. 

Among the businesses that have reached the DMARC enforcement stage are global banks and financial services companies (33%), Fortune 500 companies (28%), tech firms (24%), and media outfits (22%).

Less successful are U.S. healthcare providers (18%) and utilities (13%).

The winner is the U.S. government. Thanks to a directive from the Department of Homeland Security, 79% of federal government domains have DMARC, and 93% are at enforcement.

The United States sends more spoofed email than anyone — over 38 million pieces, although that represents only 0.2% of its total email volume. Vietnam, Russia, China and India have higher parentages but lower numbers overall.