Even though the adoption of DMARC has grown over the past year, only 21 percent) of Fortune 500 companies are protected from being spoofed with only 13.9 percent of all domains enforcing the standard.
Industry sectors lag substantially behind U.S. government entities where three-fourths of U.S. federal domains are safeguarded by DMARC enforcement, according to a report from Valimail that analyzed tens of millions of domains from publicly traded and privately held for-profit companies, non-profit organizations, governments and NGOs.
The research found that the 79 percent of Fortune 500 domains that can still be spoofed is because they either have no DMARC, or they are using DMARC in “monitor mode,” which ultimately doesn’t protect an organization from an impersonation-based attack, the top cybersecurity compromise vector.
Among the eight private-sectors industry analyzed, 36 percent of large banks are enforcing DMARC, up from 29 percent a year ago, and 21 percent of global banks are now protected by DMARC. In contrast, 19 percent of global tech companies and 10 percent of global media companies are DMARC-protected. U.S. healthcare fared worse at 11 percent. Among utilities, which Valimail called “largely unprotected,” 60 percent of the sector’s domains now have DMARC records, but only eight percent are enforcing it.
The relatively high federal government rate of 70 percent of its domains DMARC-protected is attributed to the U.S. Department of Homeland Security in 2017 mandating DMARC as policy for all non-military, non-intelligence domains within the executive branch. In response to rampant COVID-19 phishing schemes, industry group M3AAWG last month also urged DMARC enforcement, also endorsed by the FTC.
More than one million domains now use DMARC, estimated Valimail, which pointed out that hundreds of millions of domains are either unused or are being utilized by spammers, phishers, and hackers for deception campaigns.
“Many of these phishing domains also utilize DMARC, but are not included in Valimail’s analysis,” according to the study, which is limited to domains for which the company can attribute, with reasonable confidence, the existence of a real-world organization or entity of some kind.
“As a result, we believe that the numbers in the following pages are the most accurate and representative picture of DMARC adoption among legitimate organizations and domain owners,” Valimail said.