February 18, 2015 To mark the third anniversary of the Domain-based Message Authentication, Reporting and Conformance (DMARC) standard, first introduced by a group of email industry leaders—including Return Path—in 2012, the company has launched its DMARC Intelligence Report to measure the early adoption rate among global brands. DMARC combats email fraud, specifically the increasingly prevalent global threats from phishing and spoofing. The report found that of the 1,000 brands surveyed, 22 percent of them had already adopted DMARC. This is a positive uptake for such a new standard, and the growing momentum is helping to reshape the email fraud landscape and force cybercriminals to abandon preferred targets.
The report also uncovered differing pace of DMARC uptake across verticals. For example banks and retailers were surprisingly behind the curve despite being two of the most prolifically phished industries, while social media network companies lead the way with a 51 percent adoption rate.
These early adopters of DMARC have typically implemented a policy of ‘monitor’ while there is a much slower uptake on the stringent email operations required to fully block malicious emails with a ‘reject’ policy. This implies that while there is a general understanding of the value of DMARC, there is still scope to benefit from the full range of security functions available.
Since DMARC launched initially with Yahoo!, Google, Microsoft, AOL and Comcast, recognition has increased rapidly to encompass 142 mailbox providers protecting more than 2.3 billion inboxes worldwide. Return Path’s 2015 report found more advanced adoption in key global markets such as the US (85% of inboxes) and the UK (75% of inboxes), indicating the commitment from major mailbox providers in ensuring their users are protected from fraudulent mail attacks, and that legitimate emails are delivered correctly to the inbox. Their commitment may go further in the future, as some mailbox providers have discussed making DMARC authentication part of their inbox placement decision making, meaning a lot more senders could see their emails being blocked or delivered to the spam folder. However, even without this threat, it is incumbent upon senders to protect their email subscribers and take actionable steps to prevent their brands from being phished.
There is still a lot of scope for email marketers and IT security teams to utilize DMARC and create meaningful and effective email campaigns. Rob Holmes, General Manger, Email Fraud Protection, Return Path said; “After the early adoption by big name brands, this is now the perfect opportunity for the next wave of adopters who have seen the success of DMARC and want to implement the same level of protection to their brand. As proud founding members of DMARC, we are pleased to be part of such an industry-changing technology and this latest research further strengthens our mission to be at the forefront of innovation, helping companies systematically protect themselves, their employees and their customers.”
Seeing the results of DMARC authentication
DMARC authentication is proven to be successful: one major US financial services firm experienced a drop in domain-based attacks against their brand to zero after implementing DMARC. Similarly, the UK’s HM Revenue & Customs department has cited DMARC as being integral to the dramatic results they have seen on the number of malicious emails being sent to UK taxpayers.
“Simply put, the DMARC standard works”, said Edward Tucker, Head of Cyber Security for Her Majesty’s Revenue & Customs. “In a blended approach to fight email fraud, DMARC represents the cornerstone of technical controls that commercial senders can implement today to rebuild trust and retake the email channel for legitimate brands and consumers.”
Return Path conducted this study using a representative sample of more than 1,049 global companies across 31 countries from the following indices: Fortune 500, Inc. 5000 (Revenue > $50MM), DJIA, NASDAQ, S&P, FTSE, Nikkei, and Forbes 2014 ‘Top 100 Most Recognizable Brands‘. DMARC adoption data was pulled in February 2015. Percentages may not add up to 100 due to rounding.