The state of DMARC email authentication and security standard appeared promising at the beginning of 2024. Google and Yahoo had set a deadline of February 2024 for bulk email senders to adopt a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy. In response, the number of email domains with a valid DMARC record saw a significant 60% increase in just two months. By September, nearly 6.8 million domains had implemented email sender authentication.
Despite this initial surge, many businesses are still slow in setting up email authentication on their domains, particularly in transitioning from DMARC’s minimum-baseline policy of ‘p=none’ to stricter policies. The share of DMARC-enabled domains with an enforced policy has actually decreased from 18% to less than 14% over the past year. According to Seth Blank, the chief technology officer at Valimail, while Google’s and Yahoo’s actions prompted many companies to adopt DMARC, a large portion of the market has yet to take any steps towards implementation.
The DMARC protocol aims to enhance the authentication of emails by requiring senders to adopt two verification technologies – Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) – and specify a policy for handling mail from unauthorized senders. The requirement by Google and Yahoo for email marketers sending over 5,000 emails daily to set up DMARC resulted in a significant decrease in unauthenticated emails, notably reducing the number of unauthenticated messages sent to Gmail users.
The adoption rate of DMARC has doubled over the past year, but there is still a long way to go for widespread implementation. While some industries like manufacturing and healthcare have shown higher adoption rates, only a small fraction of organizations have transitioned to the highest security policy (‘p=reject’). Concerns about potential message loss due to stricter enforcement and the complexity of implementing DMARC have contributed to the sluggish adoption.
Looking ahead, experts predict that major email services like Google and Yahoo are likely to push for stricter DMARC enforcement in the future. The move towards higher levels of enforcement, such as ‘p=quarantine’ or ‘p=reject,’ will be essential for organizations to enhance email security and prevent unauthorized messages from reaching recipients. Monitoring DMARC reports and addressing any issues or anomalies will be crucial for companies to improve their email security posture and ensure legitimate messages are delivered.
In conclusion, while the initial momentum of DMARC adoption was positive, there is still work to be done to achieve widespread implementation and enforcement of email authentication standards. With the support of major email providers and a focus on improving security practices, organizations can enhance their email security posture and protect against phishing and spoofing attacks.