DMARC Intelligence ReportFebruary 2015

DMARC Intelligence Report February 2015 page 2 | Share this:

When Domain-based Message Authentication, Reporting and Conformance, or DMARC, was unveiled by the Internet’s biggest brands in January, 2012, it was hailed as the most powerful weapon to date in the fight against phishing and spoofing. In less than three years, the DMARC standard has reshaped the email fraud landscape, disrupted longstanding phishing strategies, and forced cybercriminals to abandon preferred targets. Today, DMARC is still the best remedy in the fight against phishing and spoofing. As its implementation continues to spread outward from its early adopters, it has the potential to nullify an entire class of fraud within the next few years. In this report, we analyzed over 1,000 of the world’s largest brands to look at DMARC adoption rates by region and industry sector, as well as by implementation stage of DMARC. We also leveraged Return Path’s Trusted Cooperative Network to consider DMARC adoption amongst global and regional ISPs, whose enforcement of DMARC policies is critical. As proud founding members of DMARC, we continue to support its adoption worldwide and while the authentication standard has come a long way since it was unveiled to the world, there is still a lot to be done in the fight against email fraud and brand abuse. We will continue to be at the forefront of innovation, helping companies systematically protect themselves, their employees and their customers. Robert HolmesGeneral Manager, Email Fraud Protection

Introduction

DMARC Sender Adoption Growth WorldwideReturn Path analyzed over 1,000 global brands across 31 countries and looked at companies with a published DMARC record. Overall, we found that 22% of the companies surveyed were publishing a DMARC record and so had taken first steps towards better email fraud protection. This is encouraging, but shows some stark regional differences: while North American email senders have a relatively high DMARC adoption rate amongst some of the world’s best-known brands (33%), other regions are lagging far behind with between 12% and 15% adoption.

Australia & New Zealand 88% 12%

EMEA 88% 12%

67% 33%US & Canada

78% 22%Grand Total

85% 15%Latin America

Sample size No DMARC Record Policy in place

1049

76

395

81

497

DMARC Intelligence Report February 2015 page 3 | Share this:

Of messages received by large mailbox providers are

from domains protected by DMARC

More sending domains publishing DMARC records

over the course of 2014

Increase in messages protected by a DMARC “reject” policy over the

course of 2014

Source: DMARC.org (Feb 2015)

More sources sending DMARC reports over the

course of 2014

Top US FDIC banks publish a DMARC record for their primary sending domain

6x 7/10

35% 50% 200%

DMARC Intelligence Report February 2015 page 4 | Share this:

Vertical Sample Size DMARC AdoptionAlthough the biggest and most progressive brands within key verticals have been the first to embrace the standard, and the average DMARC adoption rate overall among senders has climbed to 22%, some verticals have been notably slower to take action against email fraud.

BankingDespite relatively high DMARC adoption rates among large banks--including half of the world’s ten largest--only 19% of the banks included in this analysis are using the standard today. One possible explanation for such low adoption in the face of clear risk is that this industry’s legacy IT systems tend to be more complex compared to newer industries like social media companies. Their email ecosystems tend to be more complex, too, underpinning a broad array of functions (from transactional to informational) across multiple brands and multiple geographies. Banks also have lower tolerance than others for the risks that system-wide changes represent, making DMARC adoption more challenging for their security and IT teams.

DMARC Sender Adoption Rate by Vertical

Total 22%1049

Social media 51%59

Technology 35%62

Travel 26%108

Payment Services 22%87

Logistics 41%22

Public sector 19%16

ISP/Telco 16%77

Healthcare 8%76

Retail/Gaming/eCommerce 21%269

Banking 19%273

DMARC Intelligence Report February 2015 page 5 | Share this:

HealthcareThe healthcare industry faces similar challenges with complex legacy systems and data sensitivity, but its DMARC adoption rate is remarkably lagging, the lowest of all sectors at 8%. With recent data breaches at health insurers, email fraud protection is surely rising on the list of to-do’s for the industry’s Information Security professionals.

RetailRetailers, too, have lagged other verticals. Despite the Anti-Phishing Working Group (APWG) reporting that retailers are increasingly targeted by phishers (6.5% of total phishing attacks in 2012 compared to 16.5% in 20141), DMARC adoption across the retail/ecommerce vertical is only 21%. While many of the most prominent members of the industry are using the standard to combat fraud, it may be surprising that all the recent media and legislative focus on retailer data security hasn’t spurred more retail brands to take action. As with banks, the complexity of retail and ecommerce email programs may be slowing DMARC adoption. Their messages are often sent from multiple domains, including third party providers’ systems, affiliates, and disparate internal brands and departments. The level of operational coordination and sophistication required for retail brands to implement DMARC may take more time and effort.

Social MediaIn contrast, social media networks’ DMARC adoption rates lead the world at 51%. This is not a surprise. Their networks are big, their technology is new, and their need for information security is acute. Social networks have a lot of personal information to protect, and their business models depend on being able to send large volumes of email. Trust is also paramount for social media brands: when their platform is used as a vehicle to defraud users, or user accounts are compromised, the impact of these attacks on their user base can be exponential, eroding trust at lightning speeds.

LogisticsLogistics providers, such as global shipping companies, are leaders in email fraud protection too, with an overall DMARC adoption rate of 41%. This is another highly vulnerable vertical, so its early recognition of DMARC’s value is no surprise; these brands need to send a lot of transactional emails, and their core missions are based on delivering time-critical information to their clients.

1APWG Phishing Activity Trends Report, Q2 14 DMARC Intelligence Report February 2015 page 6 | Share this:

DMARC Policy Implementation by VerticalNext, let’s look at the breakdown of DMARC policy applied amongst the global brands that have implemented it: monitor, quarantine and reject. A policy of monitor is used when first implementing DMARC. This helps senders identify sending domains that are failing authentication, and would otherwise be blocked by email providers if the sender’s policy was set to reject. The quarantine policy tells email providers to set aside emails that fail authentication. Generally, emails that fail authentication with a quarantine policy see email delivered to the spam or junk folder. The reject policy directs email providers to do just that -- block messages that fail authentication.

A large percentage of senders have implemented a monitor policy, signifying adoption of the DMARC standard but not commitment to stringent email operations required to fully block malicious emails with a reject policy. Three industry sectors are showing the strongest level of DMARC implementation, instructing mailbox providers to block suspected fraudulent messages: payment services (32%), social media (40%), and logistics (44%).

Tota

l

Soci

al m

edia

Tech

nolo

gy

Trav

el

Paym

ent

Serv

ices

Logi

stic

s

Publ

ic s

ecto

r

ISP/

Telc

o

Reta

il/G

amin

geC

omm

erce

Bank

ing

Hea

lthca

re

273 76 77 22 87 16 269 59 62 108 1049

51 6 12 9 19 3 56 30 22 28 236

Sample size

Sample (policy only)

Monitor

Multiple*

* Multiple indicates different sending domains at different stages of DMARC policy implementation

Quarantine

Reject

63% 58%

25%

17%

17%

56%

44%

32% 33%

16% 67% 70% 47% 77% 82% 63%100%

20%

14% 14%

4%

4%

16%

37%

12%

7%

11%

11%

7%

7%

7%

7%

40% 9%9%

DMARC Intelligence Report February 2015 page 7 | Share this:

DMARC in Action: Benefits Seen by Early AdoptersImplementing DMARC is akin to a homeowner putting a sign on their front lawn announcing their property is alarmed. It tells would-be thieves to pick another target.

As the chart for a US financial services firm shows, once they implemented DMARC, domain-based attacks against their brand dropped to zero. DMARC not only helps prevent phishing and spoofing emails from reaching customers, it can discourage fraudsters from even attempting to exploit the DMARC-protected brand.

In the case of the UK’s HM Revenue & Customs department (HMRC), DMARC has been integral to the dramatic results they have achieved, allowing for close monitoring of mail flows using their active and defensively registered domains, helping them reduce malicious email targeting UK taxpayers by impersonating their organization.

Simply put, the DMARC standard works. In a blended approach to fight email fraud, DMARC represents the cornerstone of technical controls that commercial senders can implement today to rebuild trust and retake the email channel for legitimate brands and consumers.

Edward Tucker, Head of Cyber Security for Her Majesty’s Revenue & Customs.

Jan

1,250,000

1,000,000

750,000

500,000

250,000

0Feb Mar Apr May

2014

Jun Jul Aug Sep Oct Nov

DMARC Block Deployed

Suspicious Messages Source: Return Path Customer(US financial services company)

DMARC Intelligence Report February 2015 page 8 | Share this:

DMARC Receiver Adoption WorldwideWhile DMARC adoption rates among brands and senders of email vary widely by vertical and region, the adoption rate among receivers of email (ISPs) has risen dramatically over the past two years. In January 2013, a mere six mailbox providers had adopted DMARC, albeit some of the world’s largest providers. As of December 2014, that number had increased to 142 protecting some 2.43 billion inboxes worldwide. Since launching with Yahoo!, Google, Microsoft, AOL, and Comcast, DMARC has added a slew of other private and public sector domains. These receivers take phishing and

spoofing seriously and have acted to help you prevent it.

Q1 ‘13 Q2 ‘13 Q3 ‘13 Q4 ‘13 Q1 ‘14 Q2 ‘14 Q3 ‘14 Q4 ‘14

0

160

140

120

100

80

60

40

20

Source: Return Path Trusted Cooperative Network - February 2015

Number of Receivers Worldwide Adopting DMARC

DMARC Intelligence Report February 2015 page 9 | Share this:

Regional Coverage

While the overall receiver adoption of DMARC is trending the right way, the percentage of consumer inboxes protected by DMARC by country is not necessarily what one would predict.

Hong Kong and Russia lead the world in DMARC inbox protection with 90% coverage, followed by the United States at 85%, then Turkey at 79%. Germany has the lowest percentage of inboxes protected (30%), with Spain and France tied for second lowest at 50%, however with some large regional ISPs already engaged in DMARC implementation, we expect these adoption rates to increase significantly over the next 2 quarters.

USA

85%

Hong Kong

90%

France

50%

Spain

50%

Australia

65%

Brazil

75%

Germany

30%

Turkey

79%

Singapore

75%

UK

75%

Italy

75%

Russia

90%

DMARC Intelligence Report February 2015 page 10 | Share this:

Source: Return Path Trusted Cooperative Network – February 2015

DMARC Intelligence Report February 2015 page 11 | Share this:

ConclusionIn the last three years, DMARC adoption has made great strides, both by email senders and receivers. Across most industry sectors, the early adopters - and largest brands - have clearly taken the right steps and some are already reaping the benefits of advanced protection against email fraud and brand abuse. For the tier two players though, there is a notable long tail of adoption laggards who have yet to take a proactive stand against email-borne threats. For those already on the road to DMARC, quite a bit of work is still needed to move the adoption curve through “Quarantine” to “Reject” policies, implying that whilst DMARC is perceived to be valuable, its practical implementation remains difficult. Senders need to be acutely familiar with the state of their email operations and comfortable with parsing and reacting to the DMARC data coming from the ISPs in order to advance the adoption curve.

There may be additional incentive on the horizon: some mailbox providers have suggested that DMARC authentication could become part of their inbox placement decision making in the future. Senders whose messages fail DMARC authentication could see more of their email delivered to the spam folder or even blocked. Even without this threat, it is incumbent upon senders to protect people from being victimized by fraudsters using their brand as cover.

Recent headlines are serving as a relentless reminder of the cost of spoofing and phishing attacks to both brands and their customers. The question to all reputable companies out there is no longer “Should we implement DMARC?” but rather “Can we afford not to?”

Contact UsUSA (Corporate Headquarters) rpinfo@returnpath.com

Australia rpinfo-australia@returnpath.com

Brazil rpinfo-brazil@returnpath.com

Canada rpinfo-canada@returnpath.com

France rpinfo-france@returnpath.com

Germany rpinfo-germany@returnpath.com

United Kingdom rpinfo-uk@returnpath.com

returnpath.com/stopemailfraud

MethodologyReturn Path conducted this study using a representative sample of more than 1,049 global companies across 31 countries from the following indices: Fortune 500, Inc. 5000 DJIA, NASDAQ, S&P, FTSE, and Forbes 2014 ‘Top 100 Most Recognizable Brands’. DMARC adoption data was pulled in February 2015. Percentages may not add up to 100 due to rounding.

About Return PathThe world’s biggest brands rely on Return Path to keep them connected to their customers.We analyze the world’s largest collection of email data to show marketers how to stay connected to their audiences, strengthen their customer engagement, and protect their brands from fraud. Our solutions help mailbox providers around the world deliver great user experiences and build trust in email by ensuring that wanted messages reach the inbox while spam and abuse don’t. Consumers use Return Path technology to manage their inboxes and make email work better for them.