Editor’s Note: This blog post originally appeared on the Agari Email Security Blog.
By Fareed Bukhari
DMARC adoption rose a tepid 1% in the first quarter of the year, with the rate of growth slowing compared to the last three months of 2018, according to our latest report on email security trends. That said, nearly 90% of Fortune 500 businesses remain unprotected against email-based impersonation attacks targeting their customers, partners, and other businesses. But Australian companies lead their peers around the world in putting the public at risk.
The Q2 2019 Email Fraud and Identity Deception Report from the Agari Cyber Intelligence Division (ACID) identified 6.75 million domains with valid DMARC records out of the 328 million domains examined from January 1 through March 31. The quarterly reports from ACID represent the industry’s largest ongoing study of DMARC adoption worldwide.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an open standard email authentication protocol that helps businesses prevent cybercriminal organizations from spoofing or hijacking their domains in order to launch email scams designed to defraud consumers and businesses. According to reports in TechRepublic, Microsoft, PayPal, Bank of America, Dropbox and others may have discovered in just dangerous brand impersonations can be in the last few months.
Last year, email-based brand impersonation scams surged 250 percent. According to the FBI, the price tag for US-based businesses topped $2.7 billion. Consumers in the United States lose an average $1.4 billion per year through these and other forms of Internet fraud.
This quarter’s report marks the first to include DMARC implementation by region. On that score, it may serve as a wake-up call for some of the world’s largest companies.
The US and Germany Lead in DMARC
DMARC gives brands control over who is allowed to send emails on their behalf. Among other things, it enables email receiver systems to recognize when an email isn’t coming from a specific brand’s approved domains and gives the brand the ability to tell the email receiver systems what to do with those unauthenticated email messages.
Failure to implement DMARC at the top, p=reject enforcement setting results in an easily identifiable vulnerability. Cybercriminals often spoof domains in order to send large volumes of phishing attacks targeting the domain owner’s customers and partners, and the ripple effect can be significant. The domain may suffer reputational damage, resulting in being blacklisted by some receiver infrastructures. Or it may experience reduced deliverability rates for legitimate email, hurting important digital revenue streams.
According to our analysis, Germany leads all survey geographies in registered domains with established DMARC records, accounting for nearly a sixth of the world’s DMARC records overall, with the highest number of domains with country codes. Predictably, given the total volume, Germany also ranks highest in established DMARC records at the default, monitor-only setting, which unfortunately does nothing to stop illegitimate emails from being delivered to inboxes.
Data for the United States paints a different picture. While it ranks a distant second in the total number of country-coded domains assigned DMARC records, it is number one in the number of DMARC records with an established p=reject enforcement policy, making it the leader in domains that are truly protecting against impersonation.
It’s easy to see why. According to industry studies, the US is the single-most heavily targeted nation by cybercriminals. But this relative leadership in enforcement policies may reflect more on the rest of the world than it does on the readiness of US business as a whole. It’s just that things get worse from there.
Fortune 500 Making (Slow) Progress — But Dangers Persist
During the first quarter of the year, DMARC adoption remained lethargic with the largest US corporations continuing to implement email authentication at a measured pace. Over half of all Fortune 500 companies have assigned DMARC records, up 5% from the previous quarter. But 42% of those companies have yet to publish an enforcement policy.
Meanwhile, more than 5% have implemented a quarantine policy, which sends phishing emails to the spam folder — in line with the end of last year. And just 55 companies in the index have implemented a reject policy to block phishing attempts impersonating their brands. While that’s an 8% jump from December 2018, it means 89% of the Fortune 500 remains vulnerable to impersonation attacks, as do their customers.
Still, the largest companies in other nations may have it worse. Only 14 companies on the FTSE 100 have implemented DMARC with a reject policy, for instance. And in Australia, significant educational efforts may be required to boost DMARC adoption.
Today, only 7 companies on the ASX 100 have implemented DMARC to reject, and 55% of the ASX 100 have yet to take the first step in adopting DMARC to combat the threat from brand impersonation attacks that bear their names. In fact, Australia is getting hit harder by fraud than peers in many other countries, according to CSO. Consumers and businesses there lost more than $107 million to email-based impersonations in 2018 — up 43% in just one year.
DMARC: Not Just Defense
All of this may seem discouraging, but the progress seen over the last quarter matters. The fact is, effectively deploying DMARC across hundreds, if not thousands of domains across a corporation’s entire email ecosystem can be daunting. But there’s growing evidence that in addition to squelching email-based brand impersonations, DMARC can pay some serious dividends — if it’s done right.
According to a study from Forrester Research, businesses using Agari Brand Protection™, for instance, have successfully seen impersonation attempts drop to near zero in a matter of weeks. And by avoiding the kind of negative headlines and brand erosion that result from such scams, organizations have also seen email conversion rates for their own, legitimate email programs climb an average of 10%.
Considering the average ROI in brand email campaigns is as high as $38 for every $1 spent — by far the highest of any digital channel — that can translate into millions in additional incentives to deploy DMARC now.
For more on DMARC adoption across industries and geographies, download a copy of the Q2 2019 Email Fraud & Identity Deception Trends Report