The adoption rate of the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard has doubled in the year following the implementation mandate by Google and Yahoo. Despite this progress, email threats continue to pose a significant risk, delivering payloads and directing unsuspecting users to phishing sites.
Since February 2024, bulk email senders, defined as companies sending more than 5,000 email messages daily, were required to utilize DMARC. This standard uses authentication specifications like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to verify the legitimacy of emails, making it harder to spoof legitimate brands or companies.
According to data published by cyber-resilience firm Red Sift, the adoption of DMARC increased by approximately 2.3 million domains in the past year. However, this still leaves 87% of domains without a DMARC record. Adoption rates vary across regions, with countries like Austria, Japan, and Indonesia showing significant growth.
Sean Costigan, managing director of resilience strategy at Red Sift, emphasizes the importance of improved adoption rates in the private sector. He highlights the role of DMARC in reducing spoofing, phishing, and other cybercrimes, noting that some industries like healthcare still struggle to surpass 40-50% adoption.
Google reported a substantial decrease in unauthenticated emails, with Gmail users encountering 265 billion fewer such emails in 2024. During the holiday season that typically sees a surge in phishing attacks, users experienced 35% fewer scams, according to Neil Kumaran, group product manager at Google.
Despite the positive impact of DMARC, threats persist as attackers adapt to new tactics. Roger Grimes, a data-driven-defense evangelist at KnowBe4, notes that attackers now employ subdomain attacks to bypass DMARC checks, allowing them to send deceptive emails from subdomains that appear legitimate.
In response to evolving threats, the adoption of DMARC is likely to accelerate, driven by regulatory requirements like the Payment Card Industry Data Security Standard (PCI DSS) version 4.0 and the European Union’s Digital Operational Resilience Act (DORA). These mandates emphasize the importance of proactive cybersecurity measures like DMARC to mitigate risks and ensure compliance.
Furthermore, experts recommend companies transition from “none” to “quarantine” to “reject” policies under DMARC and consider adopting Brand Indicators for Message Identification (BIMI) for enhanced email security. While these measures do not eliminate malicious emails entirely, they provide organizations with more reliable signals to filter out unwanted messages and potential threats.
Overall, the increased adoption of DMARC signifies progress in enhancing email security and combating cyber threats. By leveraging authentication standards like DMARC and embracing additional security measures, organizations can bolster their defenses and minimize the risk of falling victim to email-based attacks.