Majority of enterprise domains still not protected from email impersonation
Despite growing adoption of DMARC technology, fewer than 10 percent of enterprise email domains are protected from impersonation according to a new report from Valimail.
Valimail found that 850,000 domains worldwide now have DMARC records, a five times increase since 2016. However, fewer than 17 percent of global DMARC records are at enforcement -- meaning fake emails that appear to come from those domains are still arriving in recipients’ inboxes.
Among large companies though, only one in five enterprise DMARC records is at enforcement, a significant factor in the wild success of business email compromise (BEC) attacks, which has produced more than $26 billion in losses in the past three years.
"The identity crisis of email has never been more apparent," says Alexander García-Tobar, CEO and co-founder of Valimail. "Phishing is implicated in more than 90 percent of all cyberattacks, and the vast majority of phishing emails leverage impersonation. This is only possible due to email's lack of robust sender identity validation. The sharp rise in DMARC records worldwide is promising, but the low rate of enforcement indicates there is a long way to go in establishing real trust in one of the world’s most common forms of communication."
Even among technology companies less than half of DMARC records are at enforcement, and in most industry categories under 10 percent of enterprise domains are protected from impersonation. The US government -- which traditionally lags behind the private sector when it comes to security readiness -- is leading the way here and has achieved an impressive 93 percent of DMARC records at enforcement. This is up slightly from 91 percent since Valimail's last research report, an indication that the government sector is proactively tackling the problem of email identity.
The full report is available from the Valimail site.