Académique Documents
Professionnel Documents
Culture Documents
February 2015
Introduction
When Domain-based Message Authentication, Reporting and Conformance, or DMARC, was
unveiled by the Internets biggest brands in January, 2012, it was hailed as the most powerful
weapon to date in the fight against phishing and spoofing.
In less than three years, the DMARC standard has reshaped the email fraud landscape, disrupted
longstanding phishing strategies, and forced cybercriminals to abandon preferred targets. Today,
DMARC is still the best remedy in the fight against phishing and spoofing. As its implementation
continues to spread outward from its early adopters, it has the potential to nullify an entire class
of fraud within the next few years.
In this report, we analyzed over 1,000 of the worlds largest brands to look at DMARC adoption
rates by region and industry sector, as well as by implementation stage of DMARC. We also
leveraged Return Paths Trusted Cooperative Network to consider DMARC adoption amongst
global and regional ISPs, whose enforcement of DMARC policies is critical.
As proud founding members of DMARC, we continue to support its adoption worldwide and while
the authentication standard has come a long way since it was unveiled to the world, there is still
a lot to be done in the fight against email fraud and brand abuse. We will continue to be at the
forefront of innovation, helping companies systematically protect themselves, their employees
and their customers.
Robert Holmes
General Manager, Email Fraud Protection
76
395
81
497
1049
88%
12%
EMEA
88%
12%
85%
Latin America
67%
US & Canada
33%
78%
Grand Total
Sample size
No DMARC Record
15%
22%
Policy in place
35%
50%
Of messages received by
large mailbox providers are
from domains protected
Increase in messages
protected by a DMARC
by DMARC
6x
More sources sending
DMARC reports over the
course of 2014
200%
7/10
Top US FDIC banks publish
a DMARC record for their
primary sending domain
Banking
Vertical
Social media
59
Logistics
22
Technology
62
Travel
108
Payment Services
87
22%
Retail/Gaming/
eCommerce
269
21%
Public sector
16
19%
Banking
273
19%
ISP/Telco
77
Healthcare
76
41%
35%
26%
Total
1049
16%
8%
22%
Healthcare
Social Media
In contrast, social media networks DMARC adoption rates lead the world
systems and data sensitivity, but its DMARC adoption rate is remarkably
at 51%. This is not a surprise. Their networks are big, their technology is
lagging, the lowest of all sectors at 8%. With recent data breaches at health
new, and their need for information security is acute. Social networks have
insurers, email fraud protection is surely rising on the list of to-dos for the
on being able to send large volumes of email. Trust is also paramount for
social media brands: when their platform is used as a vehicle to defraud
Retail
Logistics
While many of the most prominent members of the industry are using the
fraud protection too, with an overall DMARC adoption rate of 41%. This is
standard to combat fraud, it may be surprising that all the recent media and
legislative focus on retailer data security hasnt spurred more retail brands
to take action. As with banks, the complexity of retail and ecommerce email
programs may be slowing DMARC adoption. Their messages are often sent
clients.
7%
14%
25%
4%
32%
33%
44%
20%
14%
11%
12%
40%
9%
4%
7%
17%
7%
9%
11%
17%
7%
Sample size
16%
63%
100%
58%
56%
16%
67%
70%
47%
77%
82%
63%
51
12
19
56
30
22
28
236
273
76
77
22
87
16
269
59
62
108 1049
Banking
Healthcare
ISP/Telco
Logistics
Social media
Technology
Travel
Multiple*
Quarantine
Monitor
7%
37%
Reject
* Multiple indicates
different sending
domains at different
stages of DMARC policy
implementation
Total
eCommerce
Retail/Gaming
Public sector
Services
Payment
DMARC in Action:
Benefits Seen by Early Adopters
Implementing DMARC is akin to a
homeowner putting a sign on their
front lawn announcing their property is
alarmed. It tells would-be thieves to pick
another target.
As the chart for a US financial services firm
shows, once they implemented DMARC,
domain-based attacks against their brand
dropped to zero. DMARC not only helps
prevent phishing and spoofing emails from
reaching customers, it can discourage
fraudsters from even attempting to exploit
the DMARC-protected brand.
Suspicious Messages
1,250,000
1,000,000
750,000
500,000
250,000
0
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
2014
their organization.
Edward Tucker, Head of Cyber Security for Her Majestys Revenue & Customs.
160
140
120
100
80
60
40
20
0
Q1 13
Q2 13
Q3 13
Q4 13
Q1 14
Q2 14
Q3 14
Q4 14
Regional Coverage
While the overall receiver adoption of DMARC
is trending the right way, the percentage of
consumer inboxes protected by DMARC by
country is not necessarily what one would predict.
90%
90%
85%
Hong Kong
Russia
USA
79%
75%
75%
Turkey
UK
Brazil
75%
75%
65%
Singapore
Italy
Australia
30%
50%
France
50%
Spain
Germany
Conclusion
In the last three years, DMARC adoption has made great strides, both
by email senders and receivers. Across most industry sectors, the early
adopters - and largest brands - have clearly taken the right steps and some
are already reaping the benefits of advanced protection against email fraud
fail DMARC authentication could see more of their email delivered to the
and brand abuse. For the tier two players though, there is a notable long
spam folder or even blocked. Even without this threat, it is incumbent upon
tail of adoption laggards who have yet to take a proactive stand against
email-borne threats.
brand as cover.
For those already on the road to DMARC, quite a bit of work is still needed
spoofing and phishing attacks to both brands and their customers. The
with the state of their email operations and comfortable with parsing and
reacting to the DMARC data coming from the ISPs in order to advance the
adoption curve.
Methodology
Return Path conducted this study using a representative sample of more than 1,049 global companies
across 31 countries from the following indices: Fortune 500, Inc. 5000 DJIA, NASDAQ, S&P, FTSE, and
Forbes 2014 Top 100 Most Recognizable Brands. DMARC adoption data was pulled in February 2015.
Percentages may not add up to 100 due to rounding.
Contact Us
USA (Corporate Headquarters)
Brazil
France
United Kingdom
rpinfo@returnpath.com
rpinfo-brazil@returnpath.com
rpinfo-france@returnpath.com
rpinfo-uk@returnpath.com
Australia
Canada
Germany
rpinfo-australia@returnpath.com
rpinfo-canada@returnpath.com
rpinfo-germany@returnpath.com
returnpath.com/stopemailfraud