Adoption of DMARC

Adoption of DMARC

04 August, 2020

Adoption of DMARC


DMARC is an authentication policy and also reporting protocol. It uses both SPF and DKIM and adds linkage to the From domain name policies for handling the incoming email in case of failure and something very important report for the sender. The main purpose of DMARC is to protect against direct domain spoofing. If an attacker tries to send an email from unauthorized sources, DMARC will detect it and block it.

About 80 percent of the company's web domains don’t have standard email authentication protections in place., leadership team leading DMARC adoption, released their report, Global DMARC Adoption 2018, revealing 79.7% of all domains analyzed have no DMARC policy in place. By implementing DMARC, brands lower the odds of their domains being spoofed and used for phishing attacks on recipients. The result of a domain not implementing any form of DMARC policy is exposing its recipients to possible phishing attacks and, unsurprisingly, 91% of all cyberattacks begin with a phishing email.

Phishing and spoofing attacks against consumers are likely to occur when companies do not have published Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) policies in place. DMARC is considered the industry standard for email authentication to prevent attacks in which malicious third parties send harmful emails using a counterfeit address. 

Global DMARC Adoption 2019 report analyzed domains across multiple sectors including education, e-commerce, Fortune 500, US government (Executive, Legislative and Judicial), China Hot 100, the top 100 law firms, international nonprofits, the SaaS 1000, financial services, and travel. The report looks into whether the organization or parent domain, excluding any subdomains, implement any level of DMARC policy from none (good), quarantine (better), reject (best), or if they had no policies whatsoever.


Key takeaways from select sectors include:


  • For the second year in a row, Chinese companies are the least likely to adopt any DMARC policy, with 93.5% of domains having no policy in place.
  • Non-profit organizations are largely failing to adopt DMARC (91.4% have no policy in place) while they continue to hold a significant amount of personal data about their donors and volunteers.
  • Only 23% of companies in the Fortune 500 have some form of DMARC policy despite being the largest US companies by revenue.
  • The SaaS 1000 is the best non-public vertical surveyed. Out of 1,000 domains reviewed, only 54% do not have a policy in place.
  • The travel industry is well behind overall averages with 86% of all domains having no policy in place and only 1% having a reject policy.
  • The Executive branch of the government leads all verticals with 81.5% of all their domains enacting a reject policy.
  • Law firms saw the greatest increase in overall adoption from 2018 to 2019 with a 19% increase. European and U.S. retailers had the second and third greatest increases with 14.8% and 12.5% overall adoption respectively.
  • The sectors who saw the smallest increase of overall DMARC adoption from 2018 to 2019 include the China Hot 100 with only a 1.9% increase and U.S. nonprofits with a 2.8% increase


Benefits of DMARC


In DMARC uses policies the administrator sets them defining the email authentication practices and what should the receiving email server do if an email violates a policy.

When the receiving email server gets a new email it makes a DNS lookup to check the DMARC. It will look for:

  • If the DKIM signature is valid.
  • The IP address of the sender, it is one of the allowed by him (SPF record).
  • If the header shows proper “domain alignment”.

With all of the above in consideration the server DMARC policy to accept reject or flag the email.

In the end, the server will send a message to the sender with a report.


Benefits for the sender of the email


  • Shows that the email uses authentication – SPF, and DKIM.
  • Receives feedback about the sent email.
  • Policy for failed email.


Benefits for the receiver of the email


  • Provide authentication for the incoming emails
  • Evaluating the SPF and DKIM
  • See what the sender prefer – policy
  • Returns feedback to the sender

Request Your Complimentary Domain Analysis