Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:38 PM
Connect Directly

DMARC Continues To Confound Users, Report Says

Almost three-quarters of those who deploy email authentication standard fail to get its full benefits, ValiMail says.

Relatively few companies are embracing DMARC email authentication, and of those that do, 75% of them aren't using it correctly or getting the enforcement benefit it was designed to deliver, according to a study released today by email security vendor ValiMail.

The company says it examined the email authentication policies of the S&P 500, Fortune 1000, NASDAQ 100, FTSE 100, and three groups from Alexa (top 10,000, 100,000 and 1 million sites). "DMARC adoption rates were below 50% for every measured segment, with percentages dipping into the single digits for some lists," according to ValiMail. Successful enforcement came in even lower, at 12%.

"We were surprised by the large number of companies having a hard time with DMARC," says ValiMail CTO Peter Goldstein. "We were also surprised by the consistency of the failure rate across the board -- you're not seeing an industry segment that's getting it mostly right." DMARC remains a challenge for companies of all sizes, regardless of their resources, he adds, in an interview with Dark Reading.

The Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) standards. Together, they enable domain owners to publish whitelists of approved senders, receive reports of senders attempting to use their domain names, and then block email from unapproved senders, a process also known as enforcement.

By adopting DMARC, organizations can blunt the impact of email-borne threats like phishing, ransomware, and other advanced attacks. DMARC also is supposed to help rein in "shadow IT" operations like unauthorized email distribution that can impact brand and undercut compliance efforts. The pairing of DMARC and email has been likened by some to SSL and ecommerce, which helped secure ecommerce transactions and fostered greater online use of credit cards.

But wrangling the back ends of email systems and their notoriously complex DNS tables isn't for the faint of heart. Goldstein acknowledges that DMARC is complicated to deploy, and partly explains why ValiMail developed an automated tool to simplify DMARC deployment.

"Getting DMARC configured is difficult for large and small companies," Goldstein tells Dark Reading. In addition to their own internal domains, organizations are likely to use some combination of Office 365, Gmail, MailChimp, Salesforce.com and other third-party email services. But it's a challenge to then retrofit them all with DMARC. "Knowing what a MailChimp DNS looks like isn’t something the average IT person does, and there are hundreds of these to parse," Goldstein adds.

Still, DMARC adoption is relatively robust, according to Dan Ingevaldsen, CTO of Easy Solutions, another security vendor. DNS monitoring using DMARC has gone from 20,000 domains to 70,000-80,000 domains in the last year. "It's a huge increase, but if you compare that to the Alexa 1 million, it's obviously a lot smaller," he says.

Some of the new top-level domains (TLDs) like .bank and .secure require deployment of DMARC to use services on those domains, Ingevaldsen added, and more domain providers or registrars request DMARC be deployed by default.

"With DMARC, you are trying to clean up a decentralized, complex environment that's existed for a long time," he explains. "It then becomes a question of visibility into environment: How do you secure what you don't fully understand, or when you don't know where everything is?" These are issues most large organizations grapple with regularly.

Ingevaldsen suggests that DMARC may follow a similar trajectory to the transition from intrusion detection to intrusion prevention. "DMARC has a graduated deployment, like going from IDS to IPS," he says. So, many organizations may be content to remain in monitoring-only mode for an extended period so they can see where emails are going and who's sending them. "Over time, you ratchet it up to reject fraudulent or malicious emails," he says. "This will take time to measure and get to a full blocking policy."

Other relevant data points from the ValiMail DMARC report:

  • DMARC failure rate ranged from 62% to 80%, and had no correspondence to the organization's size; large organizations were as likely to fail at authentication as small ones.
  • DMARC adoption rates were less than 50% for every measured segment, with single-digit percentages for some entities.
  • The NASDAQ 100 checked in with the highest volume of attempted email authentication: 43%; smaller companies are less likely to authenticate, ValiMail finds.

Related Content:


Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/7/2016 | 5:12:02 AM
DMARC adoption
The lack of adoption of DMARC. is not its complexity but rather a lack of understanding and interpretation of the results. For me it's equivalent to baking a cake as opposed to building a car engine. I might be biased by saying that the dmarcian dashboard is the best but I consider myself a cook and not an automotive engineer !!
User Rank: Apprentice
12/2/2016 | 8:43:31 AM
The whitelisted senders feature needs clarification
The article states that DMARC allows "enable domain owners to publish whitelists of approved senders" - it is important to keep in mind that "senders" here denotes IP addresses only, not email addresses.

One rather irritating and actually quite bizarre misfeature of the spec for the DMARC reports is that the specification authors appear to think the from: address to be irrelevant.
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-01
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previousl...
PUBLISHED: 2021-03-01
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request...
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.