DMARC Intelligence Report

February 2015

Introduction
When Domain-based Message Authentication, Reporting and Conformance, or DMARC, was
unveiled by the Internets biggest brands in January, 2012, it was hailed as the most powerful
weapon to date in the fight against phishing and spoofing.
In less than three years, the DMARC standard has reshaped the email fraud landscape, disrupted
longstanding phishing strategies, and forced cybercriminals to abandon preferred targets. Today,
DMARC is still the best remedy in the fight against phishing and spoofing. As its implementation
continues to spread outward from its early adopters, it has the potential to nullify an entire class
of fraud within the next few years.
In this report, we analyzed over 1,000 of the worlds largest brands to look at DMARC adoption
rates by region and industry sector, as well as by implementation stage of DMARC. We also
leveraged Return Paths Trusted Cooperative Network to consider DMARC adoption amongst
global and regional ISPs, whose enforcement of DMARC policies is critical.
As proud founding members of DMARC, we continue to support its adoption worldwide and while
the authentication standard has come a long way since it was unveiled to the world, there is still
a lot to be done in the fight against email fraud and brand abuse. We will continue to be at the
forefront of innovation, helping companies systematically protect themselves, their employees
and their customers.
Robert Holmes
General Manager, Email Fraud Protection

DMARC Intelligence Report February 2015 page 2 | Share this:

DMARC Sender Adoption

Growth Worldwide
Return Path analyzed over 1,000 global brands across 31 countries and looked at companies with a published
DMARC record. Overall, we found that 22% of the companies surveyed were publishing a DMARC record and so
had taken first steps towards better email fraud protection. This is encouraging, but shows some stark regional
differences: while North American email senders have a relatively high DMARC adoption rate amongst some of
the worlds best-known brands (33%), other regions are lagging far behind with between 12% and 15% adoption.

76

395

81

497

1049

Australia & New Zealand

88%

12%

EMEA

88%

12%

85%

Latin America

67%

US & Canada

33%

78%

Grand Total
Sample size

No DMARC Record

15%

22%

Policy in place

DMARC Intelligence Report February 2015 page 3 | Share this:

35%

50%

Of messages received by
large mailbox providers are
from domains protected

More sending domains

publishing DMARC records

Increase in messages
protected by a DMARC

over the course of 2014

reject policy over the

course of 2014

by DMARC

6x
More sources sending
DMARC reports over the
course of 2014

Source: DMARC.org (Feb 2015)

200%

7/10
Top US FDIC banks publish
a DMARC record for their
primary sending domain

DMARC Intelligence Report February 2015 page 4 | Share this:

DMARC Sender Adoption Rate by Vertical

Although the biggest and most progressive brands within key
verticals have been the first to embrace the standard, and
the average DMARC adoption rate overall among senders
has climbed to 22%, some verticals have been notably slower
to take action against email fraud.

Banking

Vertical

Sample Size DMARC Adoption

51%

Social media

59

Logistics

22

Technology

62

Travel

108

Payment Services

87

22%

Retail/Gaming/
eCommerce

269

21%

Public sector

16

19%

Banking

273

19%

ISP/Telco

77

Healthcare

76

41%
35%

Despite relatively high DMARC adoption rates among large

banks--including half of the worlds ten largest--only 19% of
the banks included in this analysis are using the standard
today. One possible explanation for such low adoption in the
face of clear risk is that this industrys legacy IT systems tend
to be more complex compared to newer industries like social
media companies. Their email ecosystems tend to be more
complex, too, underpinning a broad array of functions (from
transactional to informational) across multiple brands and

26%

multiple geographies. Banks also have lower tolerance than

others for the risks that system-wide changes represent,
making DMARC adoption more challenging for their security
and IT teams.

Total

1049

16%
8%
22%

DMARC Intelligence Report February 2015 page 5 | Share this:

Healthcare

Social Media

The healthcare industry faces similar challenges with complex legacy

In contrast, social media networks DMARC adoption rates lead the world

systems and data sensitivity, but its DMARC adoption rate is remarkably

at 51%. This is not a surprise. Their networks are big, their technology is

lagging, the lowest of all sectors at 8%. With recent data breaches at health

new, and their need for information security is acute. Social networks have

insurers, email fraud protection is surely rising on the list of to-dos for the

a lot of personal information to protect, and their business models depend

industrys Information Security professionals.

on being able to send large volumes of email. Trust is also paramount for
social media brands: when their platform is used as a vehicle to defraud

Retail

users, or user accounts are compromised, the impact of these attacks on

their user base can be exponential, eroding trust at lightning speeds.

Retailers, too, have lagged other verticals. Despite the Anti-Phishing

Working Group (APWG) reporting that retailers are increasingly targeted
by phishers (6.5% of total phishing attacks in 2012 compared to 16.5% in

Logistics

20141), DMARC adoption across the retail/ecommerce vertical is only 21%.

Logistics providers, such as global shipping companies, are leaders in email

While many of the most prominent members of the industry are using the

fraud protection too, with an overall DMARC adoption rate of 41%. This is

standard to combat fraud, it may be surprising that all the recent media and

another highly vulnerable vertical, so its early recognition of DMARCs value

legislative focus on retailer data security hasnt spurred more retail brands

is no surprise; these brands need to send a lot of transactional emails, and

to take action. As with banks, the complexity of retail and ecommerce email

their core missions are based on delivering time-critical information to their

programs may be slowing DMARC adoption. Their messages are often sent

clients.

from multiple domains, including third party providers systems, affiliates,

and disparate internal brands and departments. The level of operational
coordination and sophistication required for retail brands to implement
DMARC may take more time and effort.

APWG Phishing Activity Trends Report, Q2 14

DMARC Intelligence Report February 2015 page 6 | Share this:

DMARC Policy Implementation by Vertical

Next, lets look at the breakdown of DMARC
policy applied amongst the global brands that
have implemented it: monitor, quarantine
and reject. A policy of monitor is used

7%

14%
25%

4%

32%

33%

44%

20%

when first implementing DMARC. This helps

14%

11%
12%

40%

9%

4%
7%

17%

7%
9%
11%

17%

senders identify sending domains that are

7%

failing authentication, and would otherwise

be blocked by email providers if the senders
tells email providers to set aside emails that

Sample size

16%

63%

100%

58%

56%

16%

67%

70%

47%

77%

82%

63%

51

12

19

56

30

22

28

236

273

76

77

22

87

16

269

59

62

108 1049

Banking

Healthcare

ISP/Telco

Logistics

Social media

Technology

Travel

fail authentication. Generally, emails that fail

email delivered to the spam or junk folder. The
reject policy directs email providers to do just
that -- block messages that fail authentication.

Multiple*

Sample (policy only)

policy was set to reject. The quarantine policy

authentication with a quarantine policy see

Quarantine

Monitor

7%

37%

Reject

* Multiple indicates
different sending
domains at different
stages of DMARC policy
implementation

with a reject policy. Three industry sectors

are showing the strongest level of DMARC
implementation, instructing mailbox providers

Total

eCommerce

required to fully block malicious emails

Retail/Gaming

commitment to stringent email operations

Public sector

adoption of the DMARC standard but not

Services

implemented a monitor policy, signifying

Payment

A large percentage of senders have

to block suspected fraudulent messages:

payment services (32%), social media (40%),
and logistics (44%).

DMARC Intelligence Report February 2015 page 7 | Share this:

DMARC in Action:
Benefits Seen by Early Adopters
Implementing DMARC is akin to a
homeowner putting a sign on their
front lawn announcing their property is
alarmed. It tells would-be thieves to pick
another target.
As the chart for a US financial services firm
shows, once they implemented DMARC,
domain-based attacks against their brand
dropped to zero. DMARC not only helps
prevent phishing and spoofing emails from
reaching customers, it can discourage
fraudsters from even attempting to exploit
the DMARC-protected brand.

Suspicious Messages

Source: Return Path Customer

(US financial services company)

1,250,000
1,000,000

DMARC Block Deployed

750,000
500,000
250,000
0
Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

2014

In the case of the UKs HM Revenue &

Customs department (HMRC), DMARC
has been integral to the dramatic results

Simply put, the DMARC standard works. In a blended approach

they have achieved, allowing for close

to fight email fraud, DMARC represents the cornerstone of

monitoring of mail flows using their active

technical controls that commercial senders can implement

and defensively registered domains,

helping them reduce malicious email
targeting UK taxpayers by impersonating

today to rebuild trust and retake the email channel for

legitimate brands and consumers.

their organization.

Edward Tucker, Head of Cyber Security for Her Majestys Revenue & Customs.

DMARC Intelligence Report February 2015 page 8 | Share this:

DMARC Receiver Adoption Worldwide

While DMARC adoption rates among brands and senders
of email vary widely by vertical and region, the adoption
rate among receivers of email (ISPs) has risen dramatically

Number of Receivers Worldwide Adopting DMARC

over the past two years. In January 2013, a mere six

160

mailbox providers had adopted DMARC, albeit some of

140

the worlds largest providers. As of December 2014, that

number had increased to 142 protecting some 2.43 billion
inboxes worldwide.

Source: Return Path Trusted Cooperative Network - February 2015

120
100
80

Since launching with Yahoo!, Google, Microsoft, AOL, and

60

Comcast, DMARC has added a slew of other private and

40

public sector domains. These receivers take phishing and

20

spoofing seriously and have acted to help you prevent it.

0
Q1 13

Q2 13

Q3 13

Q4 13

Q1 14

Q2 14

Q3 14

DMARC Intelligence Report February 2015 page 9 | Share this:

Q4 14

Regional Coverage
While the overall receiver adoption of DMARC
is trending the right way, the percentage of
consumer inboxes protected by DMARC by
country is not necessarily what one would predict.

90%

90%

85%

Hong Kong

Russia

USA

79%

75%

75%

Turkey

UK

Brazil

75%

75%

65%

Singapore

Italy

Australia

Hong Kong and Russia lead the world in DMARC

inbox protection with 90% coverage, followed by
the United States at 85%, then Turkey at 79%.
Germany has the lowest percentage of inboxes
protected (30%), with Spain and France tied
for second lowest at 50%, however with some
large regional ISPs already engaged in DMARC
implementation, we expect these adoption rates
to increase significantly over the next 2 quarters.

30%
50%

France

50%

Spain

Germany

Source: Return Path Trusted Cooperative Network February 2015

DMARC Intelligence Report February 2015 page 10 | Share this:

Conclusion
In the last three years, DMARC adoption has made great strides, both

There may be additional incentive on the horizon: some mailbox providers

by email senders and receivers. Across most industry sectors, the early

have suggested that DMARC authentication could become part of their

adopters - and largest brands - have clearly taken the right steps and some

inbox placement decision making in the future. Senders whose messages

are already reaping the benefits of advanced protection against email fraud

fail DMARC authentication could see more of their email delivered to the

and brand abuse. For the tier two players though, there is a notable long

spam folder or even blocked. Even without this threat, it is incumbent upon

tail of adoption laggards who have yet to take a proactive stand against

senders to protect people from being victimized by fraudsters using their

email-borne threats.

brand as cover.

For those already on the road to DMARC, quite a bit of work is still needed

Recent headlines are serving as a relentless reminder of the cost of

to move the adoption curve through Quarantine to Reject policies,

spoofing and phishing attacks to both brands and their customers. The

implying that whilst DMARC is perceived to be valuable, its practical

question to all reputable companies out there is no longer Should we

implementation remains difficult. Senders need to be acutely familiar

implement DMARC? but rather Can we afford not to?

with the state of their email operations and comfortable with parsing and
reacting to the DMARC data coming from the ISPs in order to advance the
adoption curve.

DMARC Intelligence Report February 2015 page 11 | Share this:

Methodology
Return Path conducted this study using a representative sample of more than 1,049 global companies
across 31 countries from the following indices: Fortune 500, Inc. 5000 DJIA, NASDAQ, S&P, FTSE, and
Forbes 2014 Top 100 Most Recognizable Brands. DMARC adoption data was pulled in February 2015.
Percentages may not add up to 100 due to rounding.

About Return Path

The worlds biggest brands rely on Return Path to keep them connected to their customers.
We analyze the worlds largest collection of email data to show marketers how to stay connected to
their audiences, strengthen their customer engagement, and protect their brands from fraud. Our
solutions help mailbox providers around the world deliver great user experiences and build trust in
email by ensuring that wanted messages reach the inbox while spam and abuse dont. Consumers
use Return Path technology to manage their inboxes and make email work better for them.

Contact Us
USA (Corporate Headquarters)

Brazil

France

United Kingdom

rpinfo@returnpath.com

rpinfo-brazil@returnpath.com

rpinfo-france@returnpath.com

rpinfo-uk@returnpath.com

Australia

Canada

Germany

rpinfo-australia@returnpath.com

rpinfo-canada@returnpath.com

rpinfo-germany@returnpath.com

returnpath.com/stopemailfraud