Email domains without DMARC enforcement spoofed nearly 4X as often

As of January 2020, nearly 1 million (933,973) domains have published DMARC records — an increase of 70% compared to last year, and more than 180% growth in the last two years. In addition, 80% of all inboxes worldwide do DMARC checks and enforce domain owners’ policies — if domain owners have configured DMARC, a new Valimail report reveals.

DMARC records

However, just 13% of all DMARC records are configured with enforcement policies, demonstrating that interest in DMARC is increasing but DMARC expertise is not keeping pace.

“Given DMARC’s benefits, it comes at no surprise its rate of adoption has been growing consistently,” said Alexander García-Tobar, CEO and co-founder, Valimail.

“But publishing a DMARC record is just the first step — enforcement must be reached before a domain is protected, and trust can be restored to email.

“There’s an additional downside to not getting to enforcement: Our research demonstrates that domains without DMARC policies at enforcement are spoofed nearly four times more often compared to domains with DMARC at enforcement. This is because fraudsters give up trying to spoof a domain once they realize it doesn’t work, and move on to easier targets.”

DMARC records

Additional key data points

  • At a minimum, 1% of global email volume is sent using a spoofed domain.
  • The United States remains the largest source of spoofed email by volume.
  • Russia, China, Vietnam and India continue to have a proportionally high number of spoofs among email originating from these countries.
  • 79% of US federal domains have DMARC records and 93% of those are at enforcement, a tribute to the the success of a 2017 directive from the Department of Homeland Security, BOD 18-01.
  • 23% of billion-dollar companies’ domains are at DMARC enforcement.

The research from Valimail was compiled by analyzing a broad cross-section of company sizes and revenues across eight different verticals.

Share this
You are reading
email

Email domains without DMARC enforcement spoofed nearly 4X as often