Many Companies Don’t Use DMARC to Fight Phishing

Karen A. Frenkel Avatar

Updated on:

Companies are vulnerable to domain spoofing and phishing attacks that impersonate their corporate email domains—often because they don’t have DMARC policies.

Related: Why Enterprises Struggle to Stop Phishing Attacks

DMARC adoption statistics

  • DMARC records are lacking: 67 percent of Fortune 500 companies (337) do not have a DMARC record on their corporate domain. Of the remaining third, 124 companies have only a Monitor policy.
  • DMARC deployments are set wrong: 92 percent of the DMARC deployments at the Fortune 500 companies surveyed are set to Monitor—instead of Quarantine or Reject—unauthenticated messages.
  • Few policies work to prevent digital deception: Only 10 percent of the Fortune 500 companies have deployed a DMARC policy to prevent digital deception. 3 percent have a Quarantine policy, and 5 percent have a Reject policy.
  • Sectors with highest DMARC adoption rate:
    • Business services: 60 percent
    • Financial services: 57 percent
    • Technology: 55 percent
    • Transportation: 53 percent
  • Sectors with no DMARC adoption:
    • Chemicals: 93 percent
    • Engineering and construction: 92 percent
    • Aerospace: 92 percent
    • Household products: 92 percent
    • Energy: 91 percent
  • FTSE Index adoption rates: 67 percent of companies on the Financial Times Exchange 100 Index (FTSE 100)—which includes the top 100 companies on the London Stock Exchange—don’t have a DMARC record in their corporate domain.
  • FTSE sectors with the highest DMARC adoption rate:
    • Pharmaceuticals: 100 percent
    • Financial services: 40 percent
    • Energy and utilities: 37 percent
    • Retail: 33 percent

Read next: 2021’s Most Successful Phishing Ploys (So Far)

Karen A. Frenkel Avatar