Do the math. The number of firms using DMARC (Domain-based Message Authentication, Reporting, and Conformance) to protect against phishing has for the first time exceeded 1 million — up from close to zero four years ago, according to Sender Identity Movement Continues With Over 1 Million DMARC-Enabled Domains, a study released on Tuesday by Valimail.
Valimail calls this “a significant milestone.” But the overall enforcement effectiveness rate is a paltry 13.9%, meaning that almost 90% of companies are vulnerable.
And while the enforcement rate jumps to 30% among Fortune 500 DMARC users, 79% of those domains can still be spoofed because they are employing DMARC in monitor mode only, or not at all.
In contrast, most U.S. government domains are now protected because the U.S. Department of Homeland Security “mandated it for all non-military, non-intelligence domains within the executive branch,” the study notes. So the government gets an 'A.'
But almost no businesses are achieving that high a grade — most deserve a 'D.' Here are the enforcement rates by sector:
Why so low?
“Too many organizations find it difficult to reach DMARC enforcement due to the complexity of their email ecosystems and the fear of accidentally blocking good senders when moving to a more restrictive policy,” the study states.
The utility industry is a case in point: 60% of its domains now have DMARC records, but the enforcement rate remains low.
But there’s hope — 1.07 million domains have published DMARC records as of June 1 — a 48% hike over last year, and almost 2.5 times the number of two years ago. They’ll get there, if Valimail is correct.
The study concludes that “the time to deploy DMARC is now — and your deployment plan should include a path to enforcement.”
Valimail analyzed what it says is a broad cross-section of company sizes and revenues across eight different verticals.