Only 1 in 5 enterprises have DMARC records set up with an enforcement policy

More companies than ever are adopting new email security methods, like DMARC, but few actually put them to full use.

How the Department of Homeland Security is cracking down on phishing

Security company Vailmail released the Summer 2019 Email Fraud Landscape report on Tuesday highlighting recent efforts by enterprises to protect email accounts from cyberthreats. 

The report mostly focuses on the adoption rate of Domain-based Message Authentication, Reporting and Conformance (DMARC), a system that allows email domain owners to protect their domain from unauthorized use or "spoofing." 

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)

Vailmail's researchers found that most enterprises were taking a positive step forward and saw a huge spike in DMARC adoption worldwide. Yet despite widespread adoption, the study found more than 90% of enterprise domains remain vulnerable to email impersonation attacks.

By using DMARC and other similar authentication systems, domain owners can publish text files in the Domain Name System (DNS) laying out specific policies for how mail receivers should deal with unauthenticated email that appears to come from their domains.

According to the Vailmail survey, less than 17% of the 850,000 domains with DMARC records are currently at enforcement, meaning 83% have DMARC but no enforcement policy. Without an enforcement policy, fake email messages still get through. 

Just one in five large enterprises that have DMARC records have also set it up with an enforcement policy.

"The identity crisis of email has never been more apparent," said Alexander García-Tobar, CEO and co-founder of Vailmail. "The sharp rise in DMARC records worldwide is promising, but the low rate of enforcement indicates there is a long way to go in establishing real trust in one of the world's most common forms of communication."

Of all the sectors studied in the survey, the US government had the highest DMARC adoption coupled with enforcement policies. Since the last report, US government entities had gone up 2% to reach 93% adoption of DMARC records at enforcement.

The report said that Business Email Compromise (BEC), one of the fastest growing versions of phishing attacks, caused more than $26 billion in losses since 2016. (Nearly 90% of email attacks use impersonation as its main mode of attack, where cybercriminals pretend to be brands or people an email user might know like a boss or mother.) Business Email Compromise attacks train its focus on companies by bombarding them with fake invoices, direct deposit forms, bogus product orders, or requests for gift cards.

Vailmail's report added that there were other widely accepted email authentication standards resembling DMARC, like SPF, DKIM, ARC, and BIMI. All of these contributed to efforts to protect email from damaging attacks. 

The good news is that Vailmail's report said almost all major inbox providers worldwide do DMARC checks on all incoming messages. According to Valimail's analysis, 5.34 billion email inboxes support DMARC.

There are more than 850,000 domains with DMARC records as of mid-September, representing an increase of more than 250,000 records since January. This is a huge increase considering that in July 2016, only 158,901 domains had DMARC records.

The problem is that of the 850,000 domains with DMARC, just 140,000 have DMARC records set to a policy of enforcement. Vailmail's survey said DMARC usage is seeing wider adoption among larger companies, many of which populate the Fortune 500 list. The report said DMARC usage is more than 50% in most tech companies and the federal government.

Outside of those verticals, most industries had an adoption rate of about 20%. Finance companies and banks, specifically, are realizing the need for DMARC, but their adoption rate is still just above 40%

"The threat of phishing is real, and the largest and fastest-growing category of phishing attacks, Business Email Compromise (BEC), makes use of impersonation techniques. These attacks can penetrate a key weakness in existing enterprise email security systems: Their inability to reliably validate and authenticate sender identity. Email authentication is only part of the solution. To truly stop BEC and protect the enterprise from email fraud, organizations need to deploy robust sender identity solutions in addition to their existing, content-centric email security solutions," the report said.

Also see


Image: Andrey Popov, Getty Images/iStockphoto