Berkeley, California – February 16, 2016 – As DMARC enters its fifth year as an open standard, leading organizations increasingly rely on Domain-based Authentication, Reporting & Conformance (DMARC) to protect their customers from email fraud that impersonates their domains. In 2016, DMARC.org will continue to promote increased use of email authentication to protect consumers, and advocate the use of DMARC to protect employees.

Protecting Employees

The 2015 Verizon Breach Report states that more than two-thirds of incidents that comprise the Cyber-Espionage pattern feature phishing, while major data breach announcements over the past year have dominated the headlines. Recently, the 2016 Cisco Annual Security Report reveals that security professionals are losing confidence year-over-year in their defensive measures, at a time when data breach, Business Email Compromise (BEC) and ransomware have only heightened the risks to organizations large and small. Strong authentication may gain traction in email account protection, but insidious spoof email attacks are likely to rise as a result, making DMARC increasingly critical to guarding employees and consumers.

“DMARC has proven very effective at protecting consumers, but in 2016 organizations should also be deploying DMARC to help protect employees from the kinds of targeted phishing attacks that were so devastating last year,” said DMARC.org executive director Steven M. Jones. “One method of deploying DMARC helps protect customers and partners from messages sent by bad actors that seek to impersonate an organization – this has received a lot of attention over the past four years. The same method can be deployed to help protect employees from receiving messages that impersonate fellow employees, executives, suppliers or vendors. The many high-profile data breaches of 2015, and recent reports of an increasing use of spear phishing against medium-sized and even small businesses, are compelling the second use case.”

“Protecting employees from spear phishing, such as CEO fraud, is becoming increasingly important to prevent the types of major financial losses we have seen recently,” said Michael Osterman, Principal Analyst for Osterman Research. “DMARC can help to dramatically reduce data breaches, financial losses and other problems that can proceed from this kind of cyber attack.”

Protecting Consumers

The majority of consumer mailboxes around the world have been protected by DMARC for several years; in 2016 even stronger measures are being put in place. Google and Yahoo are expanding their use of strict DMARC policies to protect customers from being impersonated by fraudsters who attack their friends and associates. Last week Google’s GMail announced a new feature to show when messages users receive do not pass authentication checks. “The DMARC and ARC protocols are important tools in combating email impersonation, and they support the new features we recently introduced to help users recognize when messages aren’t authenticated,” said John Rae-Grant, Google lead product manager, Gmail.

Brands worldwide that have fully embraced DMARC have seen impressive results. Blocket, Sweden’s largest online marketplace, saw a 99 percent drop in suspicious messages in just three months after implementing DMARC, and phishing remediation costs plummeted. “After we implemented a DMARC reject policy, we saw phishing customer-service tickets drop by more than 70 percent,” said Thomas Bäcker, Head of Customer Security for Blocket.

DMARC: By the Numbers

“GMail now receives more mail from domains that have a DMARC policy in place than don’t,” according to John Rae-Grant. Other large mailbox providers also report higher figures in the 50 percent range, which is a significant increase from the average of 35 percent reported a year ago. Google further reports that more than 162,000 domains have deployed DMARC policies.

The Alexa Top 10,000 web sites saw a 64 percent increase in the number of domains publishing a DMARC policy, compared to a 7 percent gain in SPF records, and an 11 percent decline in domains that didn’t publish either type of record. While this is good progress, in absolute terms only 10.4 percent of the top 10,000 sites had DMARC records at the end of 2015, whereas 63 percent had SPF records. By contrast, the Top 100 sites show 57 percent DMARC and 88 percent SPF adoption.

In other news today, the 2016 DMARC Intelligence Report finds:

  • Of 1,000 global brands surveyed, 29 percent have adopted DMARC—up from 22 percent in 2015.
  • North America maintains the highest adoption rate at 42 percent, while other regions show a strong year-over-year increase.
  • Social media as a vertical continues to lead the fight against phishing with a DMARC adoption rate of 59 percent—up from 51 percent in 2015.
  • Banking, retail, and healthcare sectors are behind the DMARC adoption curve despite being among the most heavily phished industries.

While email threats continue to develop and broaden, trends indicate that brands and organizations across diverse categories are protecting customers, employees, partners, and constituents with DMARC in a global defense against email fraud.

About DMARC.org

DMARC.org is an initiative of the Trusted Domain Project (TDP), a non-profit and tax-exempt public benefit corporation, and is supported by the following sponsors: Agari, Comcast (NASDAQ: CMCSA), Farsight Security, Google (NASDAQ: GOOG), PayPal (NASDAQ: PYPL), and ReturnPath. DMARC.org is dedicated to promoting the use of DMARC and related email authentication technologies to reduce fraudulent email, in a way that can be sustained at Internet scale. More information about DMARC.org is available at the website https://dmarc.org.