DMARC’s ability to confirm a sending domain’s identity seems like a no-brainer, and yet most organizations aren’t taking advantage of this protective service to stop phishing attacks.
We’ve covered Domain Message Authentication Reporting and Conformance (DMARC) before on this blog – it’s a great additional layer to your inbound email security that ensures that the domain purported to be the sender is actually them. It’s a cost-effective and well… effective way to keep more phishing emails that use domain spoofing away from your users.
So, everyone is using it then, right?
According to the 2019 Global DMARC Adoption report from DMARC vendor 250ok, use of DMARC is dismal. As shown below, nearly 80% aren’t using DMARC, almost 12% have a none policy (which simply allows every email in and is, but does provide reporting on what domains were and were not authenticated), and only a combined 8.4% of organizations worldwide have some level of enforced DMARC policy in place to actively stop spoofed emails.
The report breaks adoption down into major countries, geos, and even industry verticals. Surprisingly, nearly all the results look more or less similar to the overall average. Those leading the DMARC charge were:
- U.S. government executive branch domains, with 86.6% of the domains having some level of DMARC policy in place
- The top 100 law firms globally, where DMARC of some form is implemented in 57% of organizations.
Without DMARC, 80% of organizations are susceptible to spoofing, used as part of phishing attacks. This puts the onus on users receiving these kinds of emails to be able to tell the real from the spoofed. Users put through continuous Security Awareness Training have a better ability to spot and avoid phishing scams of all kinds, limiting the attack surface on organizations and the impact of such attacks.