Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:38 PM
Connect Directly

DMARC Continues To Confound Users, Report Says

Almost three-quarters of those who deploy email authentication standard fail to get its full benefits, ValiMail says.

Relatively few companies are embracing DMARC email authentication, and of those that do, 75% of them aren't using it correctly or getting the enforcement benefit it was designed to deliver, according to a study released today by email security vendor ValiMail.

The company says it examined the email authentication policies of the S&P 500, Fortune 1000, NASDAQ 100, FTSE 100, and three groups from Alexa (top 10,000, 100,000 and 1 million sites). "DMARC adoption rates were below 50% for every measured segment, with percentages dipping into the single digits for some lists," according to ValiMail. Successful enforcement came in even lower, at 12%.

"We were surprised by the large number of companies having a hard time with DMARC," says ValiMail CTO Peter Goldstein. "We were also surprised by the consistency of the failure rate across the board -- you're not seeing an industry segment that's getting it mostly right." DMARC remains a challenge for companies of all sizes, regardless of their resources, he adds, in an interview with Dark Reading.

The Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) standards. Together, they enable domain owners to publish whitelists of approved senders, receive reports of senders attempting to use their domain names, and then block email from unapproved senders, a process also known as enforcement.

By adopting DMARC, organizations can blunt the impact of email-borne threats like phishing, ransomware, and other advanced attacks. DMARC also is supposed to help rein in "shadow IT" operations like unauthorized email distribution that can impact brand and undercut compliance efforts. The pairing of DMARC and email has been likened by some to SSL and ecommerce, which helped secure ecommerce transactions and fostered greater online use of credit cards.

But wrangling the back ends of email systems and their notoriously complex DNS tables isn't for the faint of heart. Goldstein acknowledges that DMARC is complicated to deploy, and partly explains why ValiMail developed an automated tool to simplify DMARC deployment.

"Getting DMARC configured is difficult for large and small companies," Goldstein tells Dark Reading. In addition to their own internal domains, organizations are likely to use some combination of Office 365, Gmail, MailChimp, Salesforce.com and other third-party email services. But it's a challenge to then retrofit them all with DMARC. "Knowing what a MailChimp DNS looks like isn’t something the average IT person does, and there are hundreds of these to parse," Goldstein adds.

Still, DMARC adoption is relatively robust, according to Dan Ingevaldsen, CTO of Easy Solutions, another security vendor. DNS monitoring using DMARC has gone from 20,000 domains to 70,000-80,000 domains in the last year. "It's a huge increase, but if you compare that to the Alexa 1 million, it's obviously a lot smaller," he says.

Some of the new top-level domains (TLDs) like .bank and .secure require deployment of DMARC to use services on those domains, Ingevaldsen added, and more domain providers or registrars request DMARC be deployed by default.

"With DMARC, you are trying to clean up a decentralized, complex environment that's existed for a long time," he explains. "It then becomes a question of visibility into environment: How do you secure what you don't fully understand, or when you don't know where everything is?" These are issues most large organizations grapple with regularly.

Ingevaldsen suggests that DMARC may follow a similar trajectory to the transition from intrusion detection to intrusion prevention. "DMARC has a graduated deployment, like going from IDS to IPS," he says. So, many organizations may be content to remain in monitoring-only mode for an extended period so they can see where emails are going and who's sending them. "Over time, you ratchet it up to reject fraudulent or malicious emails," he says. "This will take time to measure and get to a full blocking policy."

Other relevant data points from the ValiMail DMARC report:

  • DMARC failure rate ranged from 62% to 80%, and had no correspondence to the organization's size; large organizations were as likely to fail at authentication as small ones.
  • DMARC adoption rates were less than 50% for every measured segment, with single-digit percentages for some entities.
  • The NASDAQ 100 checked in with the highest volume of attempted email authentication: 43%; smaller companies are less likely to authenticate, ValiMail finds.

Related Content:


Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/7/2016 | 5:12:02 AM
DMARC adoption
The lack of adoption of DMARC. is not its complexity but rather a lack of understanding and interpretation of the results. For me it's equivalent to baking a cake as opposed to building a car engine. I might be biased by saying that the dmarcian dashboard is the best but I consider myself a cook and not an automotive engineer !!
User Rank: Apprentice
12/2/2016 | 8:43:31 AM
The whitelisted senders feature needs clarification
The article states that DMARC allows "enable domain owners to publish whitelists of approved senders" - it is important to keep in mind that "senders" here denotes IP addresses only, not email addresses.

One rather irritating and actually quite bizarre misfeature of the spec for the DMARC reports is that the specification authors appear to think the from: address to be irrelevant.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-24
An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
PUBLISHED: 2020-09-24
SQL injection exists in the jdownloads 3.2.63 component for Joomla! com_jdownloads/models/send.php via the f_marked_files_id parameter.
PUBLISHED: 2020-09-24
A vulnerability in Cisco Aironet Access Points (APs) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) on an affected device. The vulnerability is due to improper resource management while processing specific packets. An attacker could exploit this vulnerability by s...
PUBLISHED: 2020-09-24
A vulnerability in the DHCP message handler of Cisco IOS XE Software for Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, remote attacker to cause the supervisor to crash, which could result in a denial of service (DoS) condition. The vulnerability is due to insufficient error...
PUBLISHED: 2020-09-24
A vulnerability in the Umbrella Connector component of Cisco IOS XE Software for Cisco Catalyst 9200 Series Switches could allow an unauthenticated, remote attacker to trigger a reload, resulting in a denial of service condition on an affected device. The vulnerability is due to insufficient error h...