By Shehzad Mirza
On October 23, 2016, just over a year after the formation of the organization, GCA released its first tool to eradicate systemic cyber risk – the GCA DMARC Setup Guide – to ease the burden of implementing the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol and help organizations protect their brand from email fraud. The Setup Guide performs a scan of a domain to check for SPF/DKIM/DMARC protocols and provides step-by-step guidance on how to create SPF/DKIM/DMARC records.
Now here we are, a year after it’s launch, and the DMARC Setup Guide has been visited 16,493 times from 10,562 users in 3,407 cities across 144 countries.
Of those visits, 10,680 unique domains were used on the site, and 2,040 of those domains ( from across 112 countries) have enabled a correct DMARC policy after visiting the Setup Guide.
That is a 19.1% implementation rate in just under one year from when the site was released!! This is over double the nonprofit industry average click-through rate of 7%.
In fact, GCA had a record week starting on Friday, October 13th (lucky #13) in which we had the most visits and usage of the DMARC site since launch. The second highest came on Monday, October 16th, thanks to our event in NYC at which the Department of Homeland Security (DHS) announced Binding Operational Directive 18-01, mandating all federal agencies to implement DMARC alongside additional email security mechanisms.
Behind the Numbers:
The above numbers are great for a nonprofit entity that has been promoting, educating and raising awareness about DMARC. However, let’s look more closely at who and where we have had an impact around the globe.
Figure 1: The number of entities which implemented DMARC for each policy.
Figure 1 indicates how many domains attempted to use the DMARC Setup Guide and which level of DMARC policy these entities have implemented or are using. The blue bar shows those that have enabled DMARC after visiting the GCA DMARC Setup Guide. The orange bar shows the domains which already had DMARC enabled at certain levels. The obvious concern is the high number of domains with nothing implemented, followed by the number of domains that are still at DMARC policy level ‘none’. Why is this a concern? We’ll discuss that later in the report.
Being a global organization, GCA wanted to make sure our project had global reach. Based on the statistics, the majority of our users are from the US and the UK, but we have quite a few visitors from other countries as well.
Figure 2: Top-10 Countries visiting the GCA DMARC Site (excluding the USA and the United Kingdom)
What is interesting is that in Figure 2, once you remove the domains that do not have DMARC implemented, the same countries are still present just in a different order. This is due to the number of domains that set a DMARC policy after visiting the Setup Guide. Germany is still the highest regarding visits and DMARC implementation.
Figure 3: Top-10 Countries with DMARC implemented (excluding the USA and the United Kingdom)
Overall concerning implementation rate, Germany has the most domains with the effective levels of DMARC (policy set to quarantine or reject) after visiting our site, followed by France and Canada.
Figure 4: Top-10 Countries with DMARC implementation after visiting the GCA DMARC Site (excluding the USA and the United Kingdom)
Figure 5: Top 10 Sectors using GCA DMARC Setup Guide
The domains who used the Setup Guide are also representative of a variety of sectors across the globe. One might expect IT Services to be the highest, but what was unexpected was that the Education sector would be in the top five, since they do not appear on various vendor reports. Ultimately, ALL sectors should make a plan to implement DMARC as soon as possible. Every sector maintains some form of Personally Identifiable Information (PII) (e.g. social security numbers, credit card data, banking information, medical records, etc.). Maintaining the integrity of an organization’s networks and customer data is critical.
Each sector had various levels of implementation when using the Setup Guide (which is not the same as the number of visits). Figure 5 shows that the IT Services sector has the largest implementation of DMARC, as expected due to the volume of domains attempted. However, the Legal and Food & Beverages sector drop off the top 10 list implementation list, and Manufacturing and Media sectors take their place.
Figure 6: Top 10 Sectors DMARC implementation after visiting the GCA DMARC Site
Overall in terms of implementation rate, IT Services has the most domains with the effective levels of DMARC (quarantine and reject), followed by Finance and Retail.
What have we learned?
Figure 7: Top-10 Sectors DMARC implementation after visiting the GCA DMARC Site
The first thing we learned during this past year is that quite a large number of entities have never event heard of DMARC. This would, in part, explain the slow adoption rate. A small percentage indicated it was too difficult and too expensive to implement. Due to this, GCA conducted monthly webinars and developed several videos to raise awareness and educate executives on the benefits of implementing DMARC, as well as more technical guidance with implementation, and some cost-effective options for DMARC reporting.
One major thing we’ve learned is that approximately 79% of the domains that have implemented DMARC at level “none” and have remained at that level for the past several months, if not longer. DMARC level “none” has no impact on messages and is meant only for monitoring and reporting purposes. It is important that organizations implement DMARC enforcement by using policy level ‘quarantine’ or ‘reject’. As a result of these findings, GCA developed a rating level in the Setup Guide to encourage users to encourage reporting and to increase their protection level from “none” to “quarantine” and eventually “reject.”
Additionally, approximately 16% of these domains have not enabled reporting. If the DMARC policy is set to “none” and reporting is not enabled, there is no benefit to having DMARC at all. Report analysis is necessary to determine if DKIM, SPF and/or domain alignment need to be adjusted. This in turn will lead to moving up to a DMARC policy that allows for enforcement. There is a lot of valuable information for an organization’s IT and security staff in those reports! More information about DMARC reporting analysis can be found here.
We also learned that a majority of users at the start were from the United States and the United Kingdom, due in large part to the fact that the Setup Guide and resources were originally only available in English. In order to make a greater global impact, GCA released the DMARC Setup Guide in twelve other languages this year: Arabic, Bulgarian, Chinese (Cantonese and Mandarin), French, German, Hindi, Japanese, Korean, Portuguese, Spanish and Russian. Once each language was released, we saw an increase in usage from regions with those primary languages. We also started began the process of translating our awareness video. We now have it available in Spanish and Japanese. By the end of this month, we will also have it in French and Mandarin, and more planned for release in 2018, to have even more impact around the world!
Overall, the adoption rate for DMARC has been slow, but with the help of free tools and resources and increased implementation and awareness amongst GCA partners, we expect the adoption rate to pick up steadily. The United Kingdom and the United States governments have both established mandates for their agencies to implement DMARC, which is a strong sign of support. We hope this trend continues both in the public and private sector. Especially since a majority of the world’s consumer inboxes – 76 percent, or 4.8 billion – already support DMARC. Organizations across all sectors around the globe need to do their part to protect those consumers.
So what are the next steps?
If you are one of the many who has yet to implement DMARC, we are here to help! Get started with the DMARC Setup Guide or take a look at the many videos available on the GCA YouTube Channel. We are also available for any questions or help to get started. Contact us at [email protected].
If you have DMARC and would like to help us promote its benefits and the importance of implementation, we have kit that gives you all the basic information for spreading the word at: https://dmarc.globalcyberalliance.org/dmarc-media-kit.html
If you have a story to tell, please share it with us so others can learn from your experience! What were your challenges and how did you overcome them? What successes did you encounter as a result of implementation? What resources did you find useful? We love to hear success stories! Contact us at [email protected].
The author, Shehzad Mirza, is the Director of Operations at the Global Cyber Alliance. You can connect with Shehzad on LinkedIn.