Companies Wake Up to the Value of DMARC for Online Brand Protection

Are organizations waking up to the need to protect their brands online? Based on the rapid adoption of DMARC, a standard that helps prevent brand impersonation in phishing emails, the answer is yes. Worldwide, the number of domains using DMARC soared last year, increasing roughly 300% to just under 2 million.[1]

Online brand protection is a growing concern for most organizations as they increasingly rely on the web, email and social media to communicate with customers and the public—which leaves them vulnerable to online impersonation. While no single technology can solve the problem, DMARC can help by preventing malicious actors from sending phishing emails that appear to come from trusted brands. Because of this, DMARC is an essential element in a strategy to protect an organization’s email communications, its customers, and its reputation. 

“The appetite for DMARC has increased in a big way over the last few years,” confirms Dirk Jan Koekkoek, VP, DMARC, Mimecast. While backing by the U.S., the U.K., and other governments has helped to propel that growth, many businesses are now also rapidly adopting the standard. “In our experience, DMARC initially applied more to the financial sector,” he says. “Now, we see companies across all industries using the standard. The distribution is really broad.”

Awareness of Online Brand Protection Expands

DMARC can stop common types of phishing emails that mimic a company’s internet domain in an attempt to trick unsuspecting users into clicking on bad links, downloading malware, or making payments to fraudsters. By adding a DMARC record to its internet domain information, a business can find out who is impersonating its brand in email messages, and it can prevent those messages from reaching users. Within its DMARC record, each business sets a policy that tells other organizations’ email systems what to do when they receive fake emails that impersonate its domain: whether to report them but otherwise do nothing, quarantine them in a spam folder, or reject them altogether.

With expanding awareness of the need for online brand protection, the number of DMARC records skyrocketed during 2019, rising from 630,00 to 1.89 million, with between 50,000 and 150,000 domains being added each month, according to the industry group DMARC.org[2] and shown below in Figure 1. Companies actively using DMARC are still in the minority—the State of Email Security 2020, a global survey of over a thousand IT decision makers, found that only 28% of respondents are currently using the standard. But nearly all the surveyed organizations are now aware of DMARC, and most said they plan to use it.

Koekkoek says that one factor helping to spur broader uptake is that tools such as Mimecast’s DMARC Analyzer are making it much easier for smaller companies to apply DMARC themselves, without needing expert help. In the past, some considered DMARC complex to configure and manage, according to Gartner Inc., which says that using a third-party tool is often the most effective way to implement the standard.

The Growing Pressure to Adopt DMARC

Koekkoek says he expects the sharp rate of increase to continue. “In my view, the adoption pattern will be a typical S-curve,” he says. “DMARC will become default domain hygiene. Technology will make it easier for the late majority of organizations to use DMARC than it was for early adopters.”

Furthermore, as more companies use DMARC, there will be inexorable pressure on laggards to follow suit, Koekkoek believes. “When more domains are locked down, the unprotected ones will be attacked more often, or at least will be more attractive targets for abuse. With less friction to implement DMARC and a stronger argument for using it, the slow adopters will follow.”

Governments’ Impact on DMARC Adoption

Many of the early adopters of DMARC for online brand protection tended to be organizations that are heavily spoofed, or that have a particularly acute need for their email communications to be trusted. That includes big tech firms, which are among the most impersonated brands online. It also includes governments, which increasingly rely on digital methods to communicate with citizens. “In the U.S.A., U.K., Norway, Australia, and The Netherlands it’s mandatory for governmental organizations to enforce DMARC. In the EU it’s a best practice. We’ve seen strong adoption boosts in these regions,” Koekkoek says.

In October 2017, for example, the U.S. Department of Homeland Security issued Binding Operational Directive 18-01, which requires federal civilian domains to adopt DMARC. The U.K. government mandated that government departments adopt DMARC a year earlier, in 2016.

Dutch Government Offers Incentives for Using DMARC

The Netherlands required all government domains to apply DMARC by the end of 2019—and took an additional step toward promoting the standard by offering financial incentives to domain registrars who encourage DMARC use by Dutch companies using their services. The incentives are offered as part of a program called the Registrar Scorecard, which aims to boost trust and protection of Dutch internet domains. After the government expanded the program to include email security standards in July 2018, the number of DMARC records leapt from 36,000 to 470,000 in just six months. More than 370 registrars now take part, representing 86 per cent of country’s domains, and that figure is expected to rise.[3]

Several other sectors were quick to realize the value of DMARC records for online brand protection, Koekkoek says. “Law firms, banks and some other organizations must have DMARC, as their auditors and clients often demand it,” he says. In the U.K. for example, legal firms’ clients increasingly demand that the firms have implemented DMARC, according to Legal IT Insider.[4]  

Banks see DMARC as important for online brand protection in part because of the prevalence of financial scams. Malicious actors often impersonate banks in phishing emails in order to trick users into revealing their bank login credentials, which can then be used to drain their bank accounts.

Still, it’s important to remember that DMARC adoption is still at an early stage. DMARC is designed to be introduced gradually, beginning with a “reporting-only” policy and gradually moving to a policy that rejects all illegitimate senders. According to DMARC.org, only 21% of organizations with DMARC records were using a reject policy during 2019; about 71% used a reporting-only policy, perhaps because so many companies had only recently begun using the standard.[5]

Adoption is also patchy in geographic terms. According to statistics collected by the Global Cyber Alliance, more than 135,000 domains are protected by DMARC in the U.S., and more than 20,000 in the U.K.[6] Koekkoek says adoption in Brazil, with more than 7,000 DMARC records, also seems to be growing strongly. Other countries, including China and Japan, have far fewer domains protected by DMARC.

The Bottom Line

More and more organizations are realizing that a DMARC record is an essential tool for combating the threat of online brand impersonation. DMARC can help to prevent some of the most common types of phishing emails that can harm a brand’s customers and its reputation. But most organizations have a multi-faceted and expanding digital presence covering not only the web and email but also social media and other communication channels. DMARC is valuable, but it’s only one element in a comprehensive online brand protection strategy.

[1] “DMARC Policies Increase 300% over 2019,” DMARC.org

[2] “DMARC Policies Increase 300% over 2019,” DMARC.org

[3] “Registrar Scorecard yields great results,” SIDN

[4] “Clients demand DMARC is set to reject,” Legal IT Insider

[5] “Farsight DNS Data – DMARC,” DMARC.org

[6] “DMARC Leaderboard,” Global Cyber Alliance