Number of spoof attempts on domains drops to “near zero” within months of DMARC enforcement

In a new study on DMARC usage and success, email cybersecurity company Vailmail found that spoof attempts drop to nearly zero “within a few months after that domain moves to DMARC enforcement.” There has been a steady increase in organizations using Domain-based Message Authentication, Reporting, and Conformance (DMARC) as a security measure against domain spoofing but enforcement continues to be the main struggle for most enterprises. The report found that, “of the 933,000 organizational domains with DMARC, just 13% are at enforcement.”

SEE: Microsoft Azure: An insider’s guide (free PDF) (TechRepublic)

The report, written by Valimail vice president of communications Dylan Tweney, found that nearly 80% of inboxes worldwide and almost all U.S. email providers perform DMARC investigations of incoming email messages, generally enforcing whatever policy was laid out by the owner of the domain. But thousands of domain owners are not configuring enforcement policies, which can tell mail receivers to reject all non-authenticated emails or quarantine them. 

“If they don’t do so, then mail receivers will not take any particular actions on email that appears to come from the domain but which fails authentication,” the report said, adding that what makes the 13% figure more troubling is that it continues to decline over time. 

Phishing is increasingly becoming one of the most costly attacks businesses face on a day-to-day basis, with the FBI estimating that $1.7 billion was lost in 2019 alone because of business email compromise attacks. According to the report, when you combine the numbers for email-based attacks using people or brand impersonations, almost 90% of all attacks, “rely on deceptive sender identity, also known as spoofing, and email remains the single largest vector for initiating cyberattacks of all kinds.”

The good news is that certain industries are doing a better job configuring enforcement policies. Nearly 80 percent of US federal government domains have DMARC records and of those 93%. These high numbers are due mostly to a Department of Homeland Security directive in 2017 mandating DMARC at enforcement for most executive branch domains by January 2018.

The report found that the government’s success was rooted in the fact that the mandate was “clearly worded, included specific guidance for agencies to follow and was coupled with tools that agencies could use to check their status and interpret DMARC data.”

Banks, financial services companies and billion-dollar companies also had relatively high numbers of primary domains with DMARC records, with most hovering around 50%. But with enforcement, these industries lagged behind with percentages between 20% and 35%.

SEE: How some presidential campaigns use DMARC to protect their domains from being spoofed (TechRepublic) 

Fortune 500 companies deployed DMARC at a rate of about 67%, with only 25% of those at enforcement. Media companies were not doing a good job with only 43% of the companies in that industry having a DMARC record and a minimal success rate of 22%. 

In total, Tweney found that 933,973 domains have published DMARC records, representing a 180% increase compared to two years ago and 70% compared to the year before. 

“Given DMARC’s benefits, it comes at no surprise its rate of adoption has been growing consistently,” said Alexander García-Tobar, CEO and co-founder of Valimail. 

“But publishing a DMARC record is just the first step — enforcement must be reached before a domain is protected, and trust can be restored to email. There’s an additional downside to not getting to enforcement: Our research demonstrates that domains without DMARC policies at enforcement are spoofed nearly four times more often compared to domains with DMARC at enforcement. This is because fraudsters give up trying to spoof a domain once they realize it doesn’t work, and move on to easier targets.”

The report added that in addition to near total decreases in the rate of fraudulent activity for domains within a few months of getting enforcement, Tweney found that domains without DMARC enforcement were spoofed 3.93 times more often compared with domains at DMARC enforcement.

Tweney also noted where much of the world’s spoofed emails were coming from. 

“One percent of global email volume, at a minimum, is sent using a spoofed domain. The United States remains the largest source of spoofed email by volume. Vietnam, Russia, China, and India continue to have a high proportion of spoofs among email originating from those countries,” Tweney wrote. 

Also see