The adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) is growing. More and more top companies and brands are realizing how important it is to protect their domains against phishing and spoofing. DMARC provides a powerful solution for that protection.
But exactly how popular is DMARC? And how can you monitor its growth in a broad, industry-wide fashion? To answer these questions, we’ve been tracking DMARC adoption and policy changes for over a year, capturing monthly snapshots of DMARC adoption among the top 10 million domains. Let’s dive into this interesting DMARC data.
Our approach to capturing DMARC adoption data
This data offers a unique glimpse into how major players are adopting DMARC to stay ahead in email security. It’s a data set I’ve specifically chosen with the hope that it correlates with brand or company size or reach, suspecting that at the highest end of the top 10 million are domains probably more likely to be phished and spoofed and that these entities are most likely to be learning about security best practices sooner rather than later.
This particular data set is useful in that it’s a domain set not specific to any particular DMARC vendor or security company. It’s a good way to help show a snapshot of DMARC “out in the real world” without the domains being checked being explicitly defined by any particular vendor.
However, the data is a bit imperfect, in that the top 10 million are ranked based on web traffic, not email traffic. In that way, there’s not necessarily a perfect correlation between “popular email domains” and DMARC adoption to be drawn from this data, but I do think it’s a useful rough correlation.
Of course, this data doesn’t represent the whole picture of DMARC adoption. Many domains beyond the top ten million utilize DMARC for spoofing and phishing prevention. So, while there may be limits to the scientific application of this data, I think it provides a good “broad strokes” point from which to observe DMARC’s growth worldwide.
Now that we’ve got all of that all of the way, here’s what that data shows today, as of September 2024.
DMARC growth: June 2023 through August 2024
Among the top 10 million domains, DMARC adoption saw a significant boost starting in January/February 2024. By the end of February 2024, the data shows that the updated Yahoo/Google sender requirements drove more than a half million of that top 10 million to publish a DMARC record. Thank you, Yahoo and Google, for driving significant DMARC adoption!
While we’re grateful for their efforts to increase the reach and understanding of DMARC across the email ecosystem, it is important to note that many folks implementing DMARC anew chose to implement a policy of p=none, which Yahoo and Google described as the bare minimum to meet their new DMARC-specific requirements. Unfortunately, a policy of p=none means your domain is NOT protected against phishing and spoofing. Read more about that here.
Take heed, those who have implemented a DMARC policy of p=none: The inbox providers are likely to upgrade their DMARC policy minimum requirement in the future to p=quarantine or p=reject. And even without that on the horizon, domain protection is still very important. A policy of p=quarantine or p=reject is required to protect against phishing and spoofing.
From April 2024 onward, we’ve started to approach the 2 million mark—the point at which we can say that DMARC implementation among the top 10 million has hit 20%. Depending on how carefully one excludes malformed records, when you can say we’ve hit that milestone might vary, but the important point is that we’ve reached it.
Over the past couple of months, we’ve crossed the 20 million threshold—20% of domains in that dataset now have DMARC records!
What if we exclude p=none?
What do we see when we exclude p=none to look for domains that have implemented a better, more restrictive DMARC policy? The good news is that the data shows that even through this view, DMARC adoption continues to grow. The jump near the start of the year was much smaller, but it’s still there, and adoption continues to grow, month over month.
Keep in mind that this data set of the top 10 million domains does not capture the many millions of additional domains publishing a DMARC record today—it is very much just a specific view of a certain set of domains.
But even if you look at just this data set, DMARC has been newly implemented, with a quarantine or reject policy, by more than 10,000 domains every month for the past five months!
Malformed records
Not pictured here; there are at least a couple thousand DMARC records in every month’s data snapshot with a malformed DMARC record. Either the record contains no policy field, or a policy that doesn’t exist in the spec (p=policy being one example of that), or a reporting address that goes nowhere (to a demo or dummy domain such as solarmora, contoso.com, or example.com – those should never appear in DMARC records).
I’m not identifying every possible way a DMARC record can be malformed in this data, but a casual review shows enough data issues to remind folks that it is indeed possible to implement DMARC incorrectly.
Get started on your DMARC journey today
We are the DMARC experts and can guide you through the process of getting started with domain monitoring and protection. Sign up for Valimail Monitor today to see just how easy it is to get started and gain visibility into email phishing and spoofing attempts.
