Brands are wising up when it comes to protecting their domains with DMARC (Domain-based Message Authentication, Reporting and Conformance) — or at least the bigger ones are.
There has been a 43.4% annual growth rate of large organizations using — and enforcing — DMARC, according to Email Fraud Wave Prompts Shift To DMARC enforcement, a study released Monday by Valimail.
On contrast, only 14.8% of the 1.28 million domains with DMARC overall actually protect themselves with an enforcement policy, a decline from July 2016, when the number topped 20%, but higher than the 13.5% seen over the past two years.
The distinction is key because it’s not enough to merely have DMARC — it also has to be enforced.
Firms with DMARC enforcement see a spoofing rate of 0.4%, whereas those without it suffer a rate of 1.9%
On the positive side, there was a 38% increase in firms with DMARC over the course of 2020
And, the rate of suspicious email has leveled off from a high of over 5% in 2017, when Valimail spotted a large impersonation campaign aimed at media companies, and is now somewhere around 1%.
Moreover, 80% of inboxes worldwide enjoy DMARC protection via their mailbox providers, including Google (for Gmail and Google Workspace), Microsoft through Outlook.com and Microsoft 365 and Verizon Media’s Yahoo Mail.
Who’s best at it? The Federal government, hands down, thanks to a 2017 Department of Homeland Security mandating DMARC enforcement for all executive branch and defense-related domains. enforcement now stands at 74%.
Coming in a distant second are firms in the Fortune 500, which have only 27% enforcement despite 77% DMARC deployment. And they are followed by technology companies, with 74% DMARC usage and 24% enforcement.
Global media companies rank near the bottom, with a 16% rate. But the lowest rate is seen among healthcare companies, only 13% of which are at the enforcement level. That’s shocking, given the sensitivity of the data.
Valimail’s conclusion? “DMARC usage is growing, and rates of enforcement are increasing, as domain owners recognize the utility of this widely accepted standard for curtailing one of the most pernicious types of email- based attacks,” the study says.
It adds, “As awareness grows about DMARC’s effectiveness in locking down domains, we expect that these numbers will continue to increase.