Interest in DMARC is growing, but anti-spoofing technology still only used in around 0.05% of active websites

DMARC email

The number of email domains deploying anti-spoofing DMARC technology is climbing towards the one million mark, a new study has revealed.

Valimail's Email Fraud Landscape Report found that 933,973 websites were using DMARC records as of the start of 2020, up 70% on the previous year.

However, with more than 1.7 billion web domains on the internet, this still only represents a tiny fraction of around 0.05% of active websites.

Furthermore, only 13% of those who deploy DMARC records – which notify email recipients that their domain is set up for the DMARC authentication protocol – are configured with instruction to apply pre-defined enforcement policies.

Without these enforcement policies, mail receivers will take no meaningful action against domain-impersonating emails that fail authentication, such as rejecting or quarantining suspect messages.

Valimail nonetheless found that domains without DMARC enforcement policies are spoofed nearly four times as often as domains with DMARC enforcement.

The security vendor found that domain spoofing attempts typically cease, or at worst dramatically decrease, within a few months of domains implementing DMARC.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that’s designed to protect against impersonation or spoofing.

The technologies build upon Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

A DMARC policy allows an organization to state that their messages are protection by SPF and/or DKIM, and instructs a recipient what to do if these authentication checks fail. Messages that reject could be either rejected or quarantined, depending on a sender's DMARC policy.

An organization sets up DMARC policy by modifying its Domain Name System (DNS) records.

In the UK, only four of the top 10 online retailers have implemented the strictest level of DMARC protection, according to a study by Proofpoint released last November.

DMARC email security protocol

DMARC enforcement sitrep

Falling enforcement rates have led Valimail to “the inescapable conclusion” that “interest in DMARC is growing, but DMARC expertise is not keeping pace.”

DMARC adoption is higher, but still far from ubiquitous, among enterprises and in certain sectors.

DMARC deployment at Fortune 500 brands is higher than any specific sector examined (67%), but with only 28% having an enforcement policy, that means only one in five of the 500 biggest US corporations have effective DMARC implementations.

Only 15% of global tech companies – who ought to be setting an example for those outside the sector – have DMARC enforcement policies in action.

It’s a different story in the public sector, with 79% of US federal government domains having DMARC records, of which 93% are enforced.

Valimail hailed the impact of a Department of Homeland Security directive, issued in 2017 when fewer than 20% of government domains had DMARC and almost none applied enforcement, mandating DMARC enforcement for most executive branch domains by January 2018.

“The UK government is also doing very well, for similar reasons,” Dylan Tweney, head of research at Valimail and the report’s author, told The Daily Swig.

“Other sectors probably won't show the same results until a similar kind of mandate is applied – either by an industry group or a governing body of some kind.”

DMARC enforcement rates

The US federal government aside, enforcement levels across categories as a percentage of companies deploying DMARC records were all well below 50%:

  • US Federal government – 93%
  • Global banks and financial services companies – 33%
  • Fortune 500 companies – 28%
  • Global tech companies – 24%
  • Billion-dollar publicly traded companies – 23%
  • Global media companies – 22%
  • US healthcare providers – 18%
  • US utilities – 13%

False positives

"The risk of false positive is the biggest hurdle,” said Tweney, referring to the report's warning that a failure to authorize services sending legitimate email on an organization’s behalf will cause mail servers to reject messages from those senders.

“Nobody wants to be the guy who flipped the switch on DMARC enforcement and suddenly a critical system can't send emails to the CEO or CFO,” said Tweney. “On top of that is the extreme difficulty of interpreting raw DMARC data and ensuring that you've correctly identified and authorized every service that needs to be authorized – even the most low-volume senders.

“The result is that many DMARC implementers deploy a record in monitoring mode, take a peek at the data, and get overwhelmed by the scope of the problem, and then delay or abandon their attempts to get to enforcement.”

The US remains the largest source of spoofed email by volume, followed by Germany, Vietnam, Russia, and the UK. In terms of the percentage that are suspicious, the worst offenders are Vietnam, China, Russia, India, and Germany.

The rate of spoofing through exact-domain impersonation among Valimail authenticated email is about 1%, down from 2.3% in the first half of 2018, and 5% in 2017.

However, Valimail says the true rate is almost certainly higher since Valimail-managed domains have much higher enforcement rates.

Asked about the risk of misidentifying legitimate internal corporate or third-party emails as phishing emails, Tweney said: "The vast majority of [what we determine as suspicious] are highly correlated with sources known to us as high-volume senders of phishing emails, so it's quite likely that they are, indeed, illegitimate impersonations.”

RELATED RSA Conference: Google improves threat detection over Gmail