While the DMARC enforcement rate increases, 3 billion messages per day are still spoofing the sender’s identity, Valimail reveals. Email continues to be an effective way to communicate and use has increased during a year of global pandemic, and hackers continue to use email as a primary attack vector, stressing that email security is not going away.
The report analyzes trends in the adoption of Domain-based Message Authentication, Reporting and Conformance (DMARC), a vendor-neutral authentication protocol that allows email domain owners to protect their domain from unauthorized use, or “spoofing.”
Email remains a leading source for cybercrime
Email remains a leading source for cybercrime, implicated in over 90% of all cyberattacks with the pandemic providing a new vantage point for these attacks.
Since the beginning of COVID-19, email security providers (ESPs) reported a surge in pandemic-themed phishing attacks taking advantage of people adjusting to working from home, in environments where they’re easily distracted, with less-secure computer hardware and networks.
Meanwhile, phishers readily deploy attacks, with the average phishing campaign lasting only 12 minutes, according to Google, which reports blocking 100 million phishing emails per day.
“Privacy laws already exist in Europe and parts of the United States, and if a company does any business in those areas, a DMARC policy at enforcement is essential,” said Alexander García-Tobar, CEO, Valimail.
“DMARC is not going away and the best thing a company can do is understand the potential exposure without it. By having valid email authentication in place, companies protect themselves and their customers from privacy violations. Without it, emails are sent without permission, fines are issues, confidential information is obtained and reputations sink. This wave is only a starting point. Companies must step up as the risk of going without enforcement will only get worse.”
DMARC protected domains: Key findings
- Three billion messages per day are spoofing the sender identity used in their “From” fields.
- Domains without DMARC enforcement are 4.75x more likely to be the target of spoofing versus domains with DMARC enforcement.
- 80% of all email inbox providers do DMARC checks on inbound email.
- More than 1.28 million domain owners worldwide have configured DMARC for their domains, but only 14% of those are protected from spoofing by an enforcement policy.
- Among large organizations, 43.4% of domains have a DMARC policy at enforcement. Two percentage points higher than it stood in early 2020 and 3.5 percentage points higher than in early 2019.
- The U.S. federal government leads with DMARC usage, with 74% of domains protected.
- Global media companies and U.S. healthcare companies have the lowest rates of DMARC deployment and protection.