A study by Valimail – a cybersecurity firm – has been tracking the use of DMARC across millions of domains since 2017 and now, it has recorded that the number for domains with DMARC records has exceeded 1 million – up from close to zero four years ago.
As much as the company states this is a “significant milestone”, the overall enforcement effectiveness rate is only 13.9% which means that 86.1% of businesses are vulnerable to spoofing.
The study also shows that among Fortune 500 DMARC records, the enforcement rate has jumped to 30%. However, 79% of Fortune 500 domains can still be spoofed since they either have no DMARC record or are using DMARC just for monitoring – ‘monitor mode’.
Unlike most of the US government domains who are protected from spoofing by DMARC (thanks to Homeland Security who mandate it), almost no businesses are actually achieving such high results. Most actually deserve a ‘C’, best case scenario a ‘D’ when it comes to using DMARC. Take a look at the enforcement rates by sector –
1) billion-dollar public companies – 14%;
2) global banks and financial services – 21%;
3) Fortune 500 – 21%;
4) global media companies – 10%;
5) global technology – 19%;
6) US federal government – 73%;
7) US health care – 11%; and
8) US utilities – 8%.
Wondering why the rates are so low? According to the study, “too many organisations find it difficult to reach DMARC enforcement due to the complexity of their email ecosystems and the fear of accidentally blocking good senders when moving to a more restrictive policy.”
If you are interested (which you should be!) in reading the full study, you can download it here.