Phishing Protection: Why Are so Few Using DMARC?

What if there existed a technology that could dramatically lower the chances of your domains being spoofed and used for **phishing attacks on recipients. Would you take advantage of it? Probably not, because the technology does exist and almost nobody is using it. And the reasons why are confounding.

The support tickets we get after a spoofing incident all start the same way: ‘we didn’t know someone was sending email from our domain,’ says Vasile Diaconu, Operations Lead at DuoCircle. DMARC reporting would have caught it weeks earlier. The cost of monitoring is nothing compared to the cost of a successful impersonation attack.

_According to the FBI’s 2022 Internet Crime Report (IC3), 300,497 US-based victims reported phishing incidents in a single year, and Business Email Compromise (BEC) caused more than $2.7 billion in direct losses. The technology is called DMARC, which stands for Domain-based Message Authentication, Reporting & Conformance. “It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities.”

Why does DMARC matter? “DMARC is the first and only widely deployed technology that can make the ‘header from’ address (what users see in their email clients) trustworthy. Not only does this help protect customers and the brand, it discourages cybercriminals who are less likely to go after a brand with a DMARC record.”

According to an article on TechRepublic, “nearly 80% of websites have no DMARC policy in place, increasing the odds that their domain will be spoofed and used for phishing attacks on customers, according to 250ok’s Global DMARC Adoption 2019 report.”

“DMARC is considered the industry standard for email authentication to prevent attacks in which hackers send malicious emails via counterfeit web addresses, the report said.”

How widespread is the problem? “Only 23% of companies in the Fortune 500 have some form of DMARC policy despite being the largest US companies by revenue.”

To make matters worse, most 2020 Presidential campaigns are not using it. “[M]ost of the political campaigns of current major party candidates for next year’s U.S. presidential elections are failing to implement proper Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to protect their donors and voters from phishing attacks that could lead to fraud.”

There are really only two possible explanations for the low adoption rate of DMARC. Either organizations don’t understand DMARC or they don’t care.

“Given the information available on the risks associated with leaving your domain unprotected, it’s shocking the number of brands that still don’t understand the importance of DMARC,” said Matthew Vernhout, director of privacy at 250ok.

The other possibility is that they don’t care. The reason why is because DMARC isn’t really used to protect you, it’s used to protect others. And maybe that’s the reason. Implementing DMARC means being a good neighbour, and perhaps that isn’t sufficient motivation, but it should be.

When you’re ready to be a good neighbour and implement advanced phishing protection technology like SPF, DKIM and DMARC, get our true real-time phishing prevention. Try it risk-free for 30 days.