Valimail regularly queries many millions of domains for the presence of published DMARC and SPF records, and performs detailed analysis on any records that we find.
For our recent Q2 2018 Email Fraud Landscape, we examined the DMARC records published by thousands of companies in 11 different categories. For most of these categories we have data from three successive quarters, which provides a revealing window not only on how these industries compare to one another, but also how they are changing over time.
First, the good news: The use of DMARC is increasing rapidly across the board. Data from Farsight shows that the number of published DMARC records tripled over the course of 2017, and Valimail has seen correspondingly rapid growth in DMARC usage; across many categories.
DMARC failure rates are high
However, publishing a DMARC record is only a small piece of the email authentication journey.
Domain owners must ensure that all cloud-based services that send email are duly authorized. They need to ensure that the DMARC and SPF records are all correctly configured. And then they need to switch their DMARC policy to enforcement (a “reject” or “quarantine” policy) if they wish to realize the standard’s anti-impersonation benefits.
To date, most companies that attempt DMARC do not complete the journey. The enforcement failure rate — the percentage of companies that deploy a DMARC record but don’t get to enforcement — hovers around 80 percent for almost every category of company we have studied, as the above chart shows.
While that number has decreased slightly over the past few quarters in a few categories (reflecting incremental improvements at getting to enforcement), the failure rate has remained fairly stable over the past three quarters.
But why does this matter? Glad you asked.
Introducing the fraud protection rate
Publishing a DMARC record in monitoring mode only does nothing to protect a domain from being impersonated (spoofed).
Yet that’s just what many companies are doing. While the number of companies deploying DMARC records has more than tripled in the past year, the actual rate of fraud protection remains low.
That’s why we’re introducing the Fraud Protection Rate, as a measure of any given category’s success in using DMARC (and other email authentication standards) to actually inoculate itself against impersonation, aka email fraud.
To find the FPR for any given category, multiply its DMARC usage rate by its enforcement success rate (the inverse of failure rate).
In other words, the FPR is the percentage of companies in a given cohort that are protected from fake email by DMARC records that are syntactically and technically valid, and which have been set to an enforcement policy.
Here’s what we’ve found:
Category | FPR |
Billion-dollar public companies (n=4,393) | 3.5% |
Crunchbase unicorns (n=317) | 12.3% |
Fortune 500 (n=500) | 8.6% |
Global media companies (n=610) | 3.1% |
NASDAQ (n=1,689) | 3.3% |
NYSE (n=1,389) | 5.1% |
U.S. banks (n=138) | 11.6% |
U.S. federal government (n=1,315) | 42.9% |
U.S. health care (n=216) | 5.6% |
U.S. tech (n=86) | 15.1% |
U.S. utilities (n=105) | 5.7% |
As you can see, the FPR is in single digits for most industry categories, reflecting the fact that most companies either haven’t yet deployed email authentication, or haven’t succeeded in configuring it completely to a policy of enforcement.
Which Categories Are Ahead?
There are a few standouts.
Thanks to its high rate of DMARC deployment and high success rate, the U.S. federal government again shows leadership here, with a fraud protection rate of nearly 43 percent as of August, 2018 (that number continues to rise, by the way, and we’ll have updated numbers on the federal government very soon).
That is a remarkably high figure, and the CIOs and CISOs responsible for this progress deserve congratulations for the progress they have made. There is still a ways to go, of course, as 57 percent of federal domains remain open to impersonation by fake emails.
Other groups showing good numbers are large U.S. tech companies, Crunchbase unicorns, and large U.S. banks: All have greater than 10 percent fraud protection.
There is also cause for optimism among U.S. utilities and U.S. health care companies: Their fraud protection rates have been steadily improving for three quarters.
Why This Matters
Email authentication adoption continues to grow, as companies, governments, and nonprofit organizations around the world recognize the importance of stopping impersonation of their domains.
Since impersonation is the primary vehicle through which phishers target and exploit organizations, this growth is a welcome sign of a fundamental secular change in the way email works.
However, email authentication remains challenging for many organizations. Even among those that implement it, most still find it difficult to get their configurations correct, complete the authentication of every service that needs to be authenticated, and move to an enforcement policy.
For companies and other organizations to truly achieve the benefits of authentication, they need to surmount those hurdles. That’s where automated email authentication plays a crucial role.
Want to know more about automated email authentication? Read our free ebook.