Study Conducted by 250ok Analyzed DMARC Implementation Across 25,700 Domains in 10 Sectors
250ok, an Indianapolis-based email intelligence platform, released their report, Global DMARC Adoption 2019, revealing 79.7% of all domains analyzed have no DMARC policy in place. By implementing DMARC, brands lower the odds of their domains being spoofed and used for phishing attacks on recipients. The result of a domain not implementing any form of DMARC policy is exposing its recipients to possible phishing attacks and, unsurprisingly, 91% of all cyber attacks begin with a phishing email.
Phishing and spoofing attacks against consumers are likely to occur when companies do not have published Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) policies in place. DMARC is considered the industry standard for email authentication to prevent attacks in which malicious third parties send harmful email using a counterfeit address.
“Given the information available on the risks associated with leaving your domain unprotected, it’s shocking the number of brands that still don’t understand the importance of DMARC,” said Matthew Vernhout, director of privacy at 250ok. “Until we reach a place where email receivers require proper authentication on all emails, including DMARC implementation, the onus is on brand leaders to keep their customers and employees safe from phishing.”
250ok’s Global DMARC Adoption 2019 report analyzed domains across multiple sectors including education, e-commerce, Fortune 500, US government (Executive, Legislative and Judicial), the China Hot 100, the top 100 law firms, international nonprofits, the SaaS 1000, financial services, and travel. The report looks into whether the organization or parent domain, excluding any subdomains, implement any level of DMARC policy from none (good), quarantine (better), reject (best) or if they had no policies whatsoever.
Key takeaways from select sectors include:
For the second year in a row, Chinese companies are the least likely to adopt any DMARC policy, with 93.5% of domains having no policy in place.
Non-profit organizations are largely failing to adopt DMARC (91.4% have no policy in place) while they continue to hold a significant amount of personal data about their donors and volunteers.
Only 23% of companies in the Fortune 500 have some form of DMARC policy despite being the largest US companies by revenue.
The SaaS 1000 is the best non-public vertical surveyed. Out of 1,000 domains reviewed, only 54% do not have a policy in place.
The travel industry is well behind overall averages with 86% of all domains having no policy in place and only 1% having a reject policy.
The Executive branch of the government leads all verticals with 81.5% of all their domains enacting a reject policy.
Law firms saw the greatest increase in overall adoption from 2018 to 2019 with a 19% increase. European and U.S. retailers had the second and third greatest increases with 14.8% and 12.5% overall adoption respectively.
The sectors who saw the smallest increase of overall DMARC adoption from 2018 to 2019 include the China Hot 100 with only a 1.9% increase, and U.S. nonprofits with a 2.8% increase
A 2018 study from the Anti-Phishing Working Group reported a decline in reported
phishing attacks during Q4 2018. However, this is not due to fewer attacks, but instead the growing complexity of phishing attacks. Thanks to new tactics like multiple redirects and valid security certificates, phishing is harder to detect than ever before. In fact, there was a 29.8% increase in phishing scams targeting SaaS companies in an attempt to get data and credentials.