250ok study analysed DMARC implementation across 25,700 domains in 10 sectors.
250ok, an Indianapolis-based email intelligence platform, recently released their report, Global DMARC Adoption 2019, revealing 79.7 per cent of all domains analysed have no DMARC policy in place. By implementing DMARC, brands lower the odds of their domains being spoofed and used for phishing attacks on recipients. The result of a domain not implementing any form of DMARC policy is exposing its recipients to possible phishing attacks and, unsurprisingly, 91 per cent of all cyberattacks begin with a phishing email.
Phishing and spoofing attacks against consumers are likely to occur when companies do not have published Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies in place. DMARC is considered the industry standard for email authentication to prevent attacks in which malicious third parties send harmful email using a counterfeit address.
“Given the information available on the risks associated with leaving your domain unprotected, it’s shocking the number of brands that still don’t understand the importance of DMARC,” said Matthew Vernhout, director of privacy at 250ok. “Until we reach a place where email receivers require proper authentication on all emails, including DMARC implementation, the onus is on brand leaders to keep their customers and employees safe from phishing.”
250ok’s Global DMARC Adoption 2019 report analyzed domains across multiple sectors including education, e-commerce, Fortune 500, US government (Executive, Legislative and Judicial), the China Hot 100, the top 100 law firms, international nonprofits, the SaaS 1000, financial services, and travel. The report looks into whether the organisation or parent domain, excluding any subdomains, implement any level of DMARC policy from none (good), quarantine (better), reject (best) or if they had no policies whatsoever.
Key takeaways from select sectors include:
- For the second year in a row, Chinese companies are the least likely to adopt any DMARC policy, with 93.5 per cent of domains having no policy in place.
- Non-profit organisations are largely failing to adopt DMARC (91.4 per cent have no policy in place) while they continue to hold a significant amount of personal data.
- Only 23 per cent of companies in the Fortune 500 have some form of DMARC policy despite being the largest US companies by revenue.
- The SaaS 1000 is the best non-public vertical surveyed, with only 54 per cent without a policy in place.
- The travel industry is well behind overall averages with 86 per cent of all domains having no policy in place and only 1 per cent having a reject policy.
- The Executive branch of the government leads all verticals with 81.5 per cent of all their domains enacting a reject policy.
- Law firms have the greatest increase in overall adoption from 2018 to 2019, with a 19 per cent increase. European and U.S. retailers had the second and third greatest increases with 14.8 per cent and 12.5per cent overall adoption, respectively.
- The sectors with the smallest increase of overall DMARC adoption from 2018 to 2019 include the China Hot 100 with only a 1.9 per cent increase, and US nonprofits with a 2.8 per cent increase.
A 2018 study from the Anti-Phishing Working Group reported a decline in reported phishing attacks during Q4 2018. However, this is not due to fewer attacks, but instead the growing complexity of phishing attacks. Thanks to new tactics like multiple redirects and valid security certificates, phishing is harder to detect than ever before. There was a 29.8 per cent increase in phishing scams targeting SaaS companies in an attempt to get data and credentials.
To view the full report, click here.