250ok’s new Global DMARC Adoption report, found that over 80% of business email domains lack DMARC protection. After analyzing 25,700 domains in the education, e-commerce, legal, financial services, SaaS and nonprofit sectors, as well as the Fortune 500, U.S. government and China Hot 100 sectors. The findings showed that the majority lacked Domain-based Message Authentication, Reporting and Conformance (DMARC) policies; DMARC is considered the industry standard for email authentication to prevent attacks where adversaries are sending mails with spoofed addresses.

By enabling DMARC on an email domain, companies lower the odds of their domains being spoofed and used for phishing attacks.

“Given the information available on the risks associated with leaving your domain unprotected, it’s shocking the number of brands that still don’t understand the importance of DMARC,” said Matthew Vernhout, director of privacy at 250ok, in the report. “Until we reach a place where email receivers require proper authentication on all emails, including DMARC implementation, the onus is on brand leaders to keep their customers and employees safe from phishing.”

Global DMARC Adoption 2019 (21,075 domains)

  • Domains with no DMARC policy 79.7% 79.7%
  • Enabled with none policy 11.9% 11.9%
  • Enabled with quarantine policy 2.3% 2.3%
  • Enabled with reject policy 6.1% 6.1%

When a DMARC policy is enabled is is designed to be incremental, it will likely start with a simple reporting only policy, that can be gradually increased to block or quarantine messages that fail a DMARC check from reaching the intended recipient.

In the early reporitng phase when DMARC is first implemented, a company will receive daily aggregate DMARC reports from email hosting providers showing the number of messages they’ve seen using their domains, how many messages passed or failed authentication and the authentication results of the mail.

Once the reporting phase is completed, the next step is quarantine where mail be routed to the spam/quarantine/junk folder. And for the most aggressive set-up under DMARC, domains can choose to use a reject policy, which will stop mail that fails authentication from even being accepted by the receiving email provider.

DMARC Adoption by Industry Sectors

%

No DMARC policy for most valuable Chinese brands

%

Nonprofit organizations without DMARC

%

Travel industry with no DMARC policy

%

US Postsecondary Education with DMARC

Internet Retailers DMARC Adoption 2019 (3,033 domains)

Internet retailers are increasing adoption of DMARC on their domains with a general push for DMARC support from their email service providers.

  • Domains with no DMARC policy 71% 71%
  • Enabled with none policy 21% 21%
  • Enabled with quarantine policy 4% 4%
  • Enabled with reject policy 3% 3%

FORTUNE 500 DMARC Adoption 2019 (1,780 domains)

Only 23 percent of companies in the Fortune 500 have some form of DMARC policy despite being the largest organizations in terms of revenue.

  • Domains with no DMARC policy 77% 77%
  • Enabled with none policy 15% 15%
  • Enabled with quarantine policy 3% 3%
  • Enabled with reject policy 5% 5%

FORTUNE 500 DMARC Adoption 2019 (1,780 domains)

Only 23 percent of companies in the Fortune 500 have some form of DMARC policy despite being the largest organizations in terms of revenue.

  • Domains with no DMARC policy 77% 77%
  • Enabled with none policy 15% 15%
  • Enabled with quarantine policy 3% 3%
  • Enabled with reject policy 5% 5%

LAW FIRMS DMARC Adoption 2019 (100 domains)

Law firms had the greatest increase in overall adoption from 2018 to 2019, with a 19 percent increase.

  • Domains with no DMARC policy 43% 43%
  • Enabled with none policy 39% 39%
  • Enabled with quarantine policy 7% 7%
  • Enabled with reject policy 11% 11%

DMARC Adoption of Law Firms when compared to 2018

As one of the best performing sectors when it comes to DMARC adoption, the percentages below show how much it has increased from last year.

%

Overall adoption increased from 62%

%

None policy adoption up from 33%

%

Quarantine policy adoption up from 2%

%

Reject policy adoption up from 3%

NONPROFIT ORGANIZATIONS DMARC Adoption 2019 (7,300 domains)

With 9 out 10 NPO domains failing to adopt DMARC for their email systems, this part of the market is mostly not embracing DMARC as a policy to combat email phishing and spoofing. The chart below looks at USA based NPO’s.

  • Domains with no DMARC policy 91% 91%
  • Enabled with none policy 7% 7%
  • Enabled with quarantine policy 1% 1%
  • Enabled with reject policy 0.5% 0.5%

Comparing NPOs around the world

A look at NPOs from the UK, US, Canada and Australia that are not implementing a DMARC policy.

%

US NPOs with no DMARC policy

%

UK NPOs with no DMARC policy

%

Canadian NPOs with no DMARC policy

%

Australian NPOs with no DMARC policy

FINANCIAL SERVICES DMARC Adoption 2019 (2,186 domains)

A look of DMARC records at over 2000 of the top financial services in the United States found that over 70% of firms had no DMARC policy in place.

  • Domains with no DMARC policy 72% 72%
  • Enabled with none policy 19% 19%
  • Enabled with quarantine policy 4% 4%
  • Enabled with reject policy 6% 6%