• by Ray Schultz , Columnist, July 16, 2021

Brands worldwide are trying to protect their domains with DMARC (Domain-based Message Authentication, Reporting and Conformance). But adoption has not been as swift as it should be, judging by DMARC Industry Report 2020-2021, a study by KDMARC.

“Many organizations, irrespective of their size and industry, have still not prioritized DMARC implementation, leaving their email domain vulnerable to external threats,” the study notes.

DMARC policies increased to 2.704 million in 2020, a 42.9% hike over 2019, but still lower than the 250% to 350% boosts seen in the prior few years. 

This is more or less in line with a Valimail study, showing 38% increase in firms with DMARC in 2020. 

The biggest monthly increase in new DMARC records, 50%, occurred in November 2018, then growth fell off.  

The average number of new records per month was around 108,700 in 2020, versus 90,197 in 2019. In contrast, the number was 80,275 in 2016.

DMARC adoption is required for U.S. government agencies. The standard presents many benefits even to private enterprises.  

Firms deploying DMARC will save $302,000 per year in losses from business email compromise (BEC) attacks, based on user taking actions just 1% of the time. But savings hit $1.3 million with a BEC action rate of 5%.

As companies have been hammering home this week, DMARC must be deployed for firms to benefit from BIMI (Brand indicators for Message Identification), the standard that allows firms to display their logos with DMARC-authenticated emails. That’s more important than ever now that Google has rolled out BIMI in all Gmail inboxes. 

Unfortunately, some DMARC adopters have not gone all the way.

There are three DMARC policies, including:

• None—A monitoring-only policy that does not affect actual email deliverability. 
• Quarantine—In addition to reports, this policy instructs the ISP to redirect emails failing DMARC authentication to the recipient’s spam folder. 
• Reject—This instructs ISPs not to deliver failing DMARC authentication at all. 

Where does adoption stand? It’s like this: 

• None—65.6%
• Quarantine—10.9%
• Reject—23.5%

That said, there has been a “gradual increase in the number of domains publishing quarantine and reject policies, with a corresponding gradual decrease in the number of domains publishing none policy,” over the past few years. 

The DMARC standard was developed by several industry tech leaders, including PayPal, Google, Microsoft and Yahoo. It was first published in 2012. 

DMARC monitors these email authentication standards:

Sender Policy Framework (SPF0

DomainKeys Identified Mail (DKIM)

“BEC and email spoofing are expensive email threats that can usually bypass the security controls put in place to filter out malicious URLs or attachments,” the study concludes. “Deployment of DMARC can help in reducing the risk of costly losses.”