Tech Companies Still Not Implementing DMARC to Block Phishing Attacks

A recent study by Valimail has revealed only 10.5% of large tech companies have correctly implemented the DMARC email authentication protocol to block phishing attacks that spoof email domains.

There are several frameworks and protocols that can be adopted to help prevent domain spoofing and authenticate emails. These are Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), Domain-based Message Authentication (DKIM), Authenticated Relay Chain (ARC) and Brand Indicators for Message Identification (BIMI).

DMARC was developed in 2012 and combines SPF and DKIM and allows businesses to set policies for handling messages that fail the authentication process, including re-routing messages or rejecting them.

Setting DMARC policies to reject messages that fail authentication processes is the strongest protection to implement against email spoofing as it ensures that these messages are not delivered to end users, yet only 10.5% of technology companies have set DMARC to ‘reject.’

For the study, Valimail assessed 525 domains used by tech companies. 257 of those domains had DMARC records, but only 55 had DMARC implemented with enforcement. 78.1% had implemented SPF, although 16.2% had not implemented SPF correctly. 5.7% do not even use SPF for email authentication.

34.9% of tech companies have set up DMARC but are not enforcing policies, which leaves them exposed to email spoofing attacks. 3.6% have set up DMARC incorrectly, and 51% of tech companies have not yet implemented DMARC. Out of the 49% of tech companies that had adopted DMARC, the majority were not protected against email spoofing attacks.

Aside from government agencies, tech companies had the highest level of DMARC adoption. Progress has been made but there is still a significant way to go. Adoption of DMARC has grown by 300% year-over-year but many tech companies have been slow to adopt the email authentication protocol. The companies that have adopted DMARC tend to be large companies. The average revenues of companies that have adopted DMARC was more than twice as high as those that had not.

The study shows that not only must adoption increase to tackle the problem of phishing, it is also essential that DMARC is correctly configured, otherwise it will do nothing to prevent email spoofing attacks.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of