DMARC Report: 85% of Fortune 500 Leave Their Customers Vulnerable to Impersonation Scams

3 min readMar 31, 2020


Editor’s Note: This blog was originally found on the Agari Email Security blog.

By Mike Paiko

Despite increased adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC), the vast majority of Fortune 500 companies remain at risk of email-based brand impersonation, according to our new Q1 2020 Email Fraud & Identity Deception Trends report.

According to the report, global DMARC adoption rates surged 83% in 2019, to more than 11.6 million email domains with recognizable DMARC policies. But that represents just a tiny fraction of a total universe of more than 366 million domains surveyed by the Agari Cyber Intelligence Division (ACID) in the largest quarterly study of DMARC adoption trends worldwide.

And despite measured progress over the past year, 85% of the Fortune 500 remain vulnerable to cybercriminals seeking to highjack their domains — and their brand identities — for use in email scams targeting their customers and other consumers and businesses.

Just ask DHL, American Express, Microsoft or any number of other organizations impersonated in a growing number of phishing, BEC and other email attacks that led to more than $3.5 billion in business and consumer losses in 2019, according to the FBI’s 2019 Internet Crimes (IC3) report.

Essential to Brand Protection

Email figures into more than 80% of all brand impersonation scams, which have surged 11X since 2014. This matters because for more than 72% of consumers and 86% of business professionals, email is the preferred communications channel for interacting with the brands with which they do business.

With an ROI of $38 for every $1 invested, email marketing and communications are by far the most important digital channels for revenue generation in a brand’s arsenal — and cybercriminal organizations know that. As it stands now, 22.9 new phishing attacks impersonate trusted businesses every minute. Nearly one in five emails is now suspicious.

Get impersonated, and your brand will be blamed for it — and it could cost you plenty. The negative publicity can get your own, legitimate email campaigns blacklisted by receiver systems. Even if they don’t, deliverability rates can still take a nosedive. The impact on your bottom line can be brutal.

DMARC is a standard email authentication protocol that prevents hackers from using your domains to launch email scams by giving you control over who is allowed to send emails on your behalf. It also enables ISPs (Google, Yahoo!, Microsoft, etc.) to recognize when an email isn’t coming from one of your company’s approved domains, and tells the ISP what to do with those unauthorized email messages.

But just because you assign a DMARC record to your domains doesn’t mean you’re truly protected. DMARC must be implemented at its highest enforcement level, p=reject, to prevent your domains from being used to stage outbound phishing attacks impersonating your brand.

Adoption Trends and the Fortune 500

By the end of 2019, our data shows that only 15% of Fortune 500 companies have a DMARC record set to p=reject — up just 5% year-over-year. By comparison, 18% of the UK’s FTSE 100 companies have fully implemented DMARC. (If it’s any consolation, just 10% of Australia’s ASX 100 have done the same.)

But this begs another question. If DMARC adoption rose more than 80% worldwide last year, what’s keeping the world’s most powerful companies — the ones most likely to be impersonated due to the enormous brand equity they’ve fostered with customers — in the slow lane?

The truth is, implementing DMARC can be daunting for large companies with thousands of domains spanning numerous various business units, outside agencies, and other email distribution partners.

But organizations using email authentication solutions such as Agari Brand Protection™, emails sent by fraudsters seeking to impersonate their businesses rapidly drop to near zero. What’s more, Forrester Research has found that large organizations using Agari Brand Protection have seen their email conversion rates climb an average 10%, leading to an average $4 million boost in revenues thanks to increased email engagement.

To learn more about DMARC and best practices for preventing phishing-based brand impersonation, download a free copy of the Q1 2020 Email Fraud & Identity Deception Trends report.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.