Roughly 10,5% of tech companies have properly implemented the DMARC email authentication protocol to block phishing attacks that use email spoofing according to a study conducted by San Francisco-based anti-phishing company Valimail.
The Industry Report: Technology March 2019 published by Valimail shows the results unearthed after conducting a study of the current progress of the tech industry in correctly implementing DMARC for phishing protection.
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting, and Conformance (DMARC), Brand Indicators for Message Identification (BIMI), and Authenticated Relay Chain (ARC) are considered modern email authentication technology.
Out of these five, DMARC has been in use since 2012 while the SPF and DKIM authentication protocols have been deployed since the mid-2000s. DMARC is designed to combine SPF and DKIM, as well as to be a basis for both the BIMI and ARC email authentication methods.
According to IETF's informational RFC7489 from March 2015, "DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection."
Also, the Department of Homeland Security’s Binding Operational Directive 18-01 states that "setting a DMARC policy of 'reject' provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery."
As Valimail's experts discovered, even though roughly 51% of all the 525 global technology companies which were examined have implemented DMARC, 3,6% have configured them incorrectly and 35% have it correctly set up but don't use enforcement, thus exposing themselves to phishing attacks based on email spoofing because of mail flow visibility exposure.
Out of the over 500 companies reviewed, only 10,5% (55 of the tested domains) come with properly configured DMARC records which will also set a policy designed to block email spoofing-based phishing attacks.
"Phishing has become ubiquitous and both consumers and businesses are faced with these types of attacks on a daily basis. Over the years, however, email authentication standards like DMARC have been developed and gained wider adoption to prevent the most pernicious form of phishing - impersonation or 'spoofing'," said Alexander García-Tobar, Valimail's CEO and co-founder.
300% increase in DMARC usage YoY
As further unearthed by the company as part of its "Industry Report: Technology March 2019", tech companies which use DMARC enforcement to as part of their anti-phishing protection strategy "had an average revenue more than twice that of the companies with no DMARC records at all ($10.2 billion vs. $5 billion)."
García-Tobar also stated that "While the tech industry’s adoption is comparatively high, as a whole, there’s still much work to be done. Despite the fact that roughly half of this cohort have DMARC records, only about 10% of tech companies overall have configured those records correctly, with a policy of enforcement."
Valimail's study shows how "of the total 525 domains, 268 (51 percent) have no DMARC records. The other 257 domains (49 percent) have DMARC in some form or another," but, as previously mentioned, "the majority of this 49 percent are not actually configured in a way that protects them from spoofing attacks."
| Sample size | Domains with DMARC records | Domains with DMARC at enforcement | Enforcement effectiveness | Overall protection rate |
| 525 | 257 | 55 | 21.00% | 10.00% |
Valimail concluded the report saying that DMARC is used as the default email authentication protocol on 75% of email boxes on the receiving side with Google, Oath, Microsoft, and other email providers using it to "enforce domain owners’ DMARC policies."
In addition, during 2017 the DMARC's usage volume has seen a 300% increase with over 200,000 domains using it as their policy distribution method.
"In this specific report, we looked at the domains of large technology companies with revenues above $500m annually. When compared to other industries, the tech sector has made strong progress in adopting email authentication," said García-Tobar. "In fact, the only other industry that has more adoption is the federal government -- which is due to the Dept. of Homeland Security’s mandate that all federal agencies adopt DMARC and set it to an enforcement policy."
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Comments
SimpleDmarc01 - 2 years ago
Hi Sergiu! Dmarc is a complicated process. And because of that, we tried to simplify it. Do check Simpledmarc.com for gain access to dmarc knowledge and understanding of how it actually works