OKDMARC

DMARC

04 August, 2020

Adoption of DMARC

DMARC is an authentication policy and also reporting protocol. It uses both SPF and DKIM and adds linkage to the From domain name policies for handling the incoming email in case of failure and something very important report for the sender. The main purpose of DMARC is to protect against direct domain spoofing. If an attacker tries to send an email from unauthorized sources, DMARC will detect it and block it.

About 80 percent of the company's web domains don’t have standard email authentication protections in place.

dmarc.org, leadership team leading DMARC adoption, released their report, Global DMARC Adoption 2018, revealing 79.7% of all domains analyzed have no DMARC policy in place. By implementing DMARC, brands lower the odds of their domains being spoofed and used for phishing attacks on recipients. The result of a domain not implementing any form of DMARC policy is exposing its recipients to possible phishing attacks and, unsurprisingly, 91% of all cyberattacks begin with a phishing email.

Phishing and spoofing attacks against consumers are likely to occur when companies do not have published Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) policies in place. DMARC is considered the industry standard for email authentication to prevent attacks in which malicious third parties send harmful emails using a counterfeit address.

Global DMARC Adoption 2019 report analyzed domains across multiple sectors including education, e-commerce, Fortune 500, US government (Executive, Legislative and Judicial), China Hot 100, the top 100 law firms, international nonprofits, the SaaS 1000, financial services, and travel. The report looks into whether the organization or parent domain, excluding any subdomains, implement any level of DMARC policy from none (good), quarantine (better), reject (best), or if they had no policies whatsoever.

Key takeaways from select sectors include:

For the second year in a row, Chinese companies are the least likely to adopt any DMARC policy, with 93.5% of domains having no policy in place.
Non-profit organizations are largely failing to adopt DMARC (91.4% have no policy in place) while they continue to hold a significant amount of personal data about their donors and volunteers.
Only 23% of companies in the Fortune 500 have some form of DMARC policy despite being the largest US companies by revenue.
The SaaS 1000 is the best non-public vertical surveyed. Out of 1,000 domains reviewed, only 54% do not have a policy in place.
The travel industry is well behind overall averages with 86% of all domains having no policy in place and only 1% having a reject policy.
The Executive branch of the government leads all verticals with 81.5% of all their domains enacting a reject policy.
Law firms saw the greatest increase in overall adoption from 2018 to 2019 with a 19% increase. European and U.S. retailers had the second and third greatest increases with 14.8% and 12.5% overall adoption respectively.
The sectors who saw the smallest increase of overall DMARC adoption from 2018 to 2019 include the China Hot 100 with only a 1.9% increase and U.S. nonprofits with a 2.8% increase

Benefits of DMARC

In DMARC uses policies the administrator sets them defining the email authentication practices and what should the receiving email server do if an email violates a policy.

When the receiving email server gets a new email it makes a DNS lookup to check the DMARC. It will look for: