DMARC Adoption Doubles, Despite Ongoing Email Threats

A year after Google and Yahoo enforced the implementation of the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard for bulk email senders, the rate of DMARC adoption among domains has doubled. However, many of the same email threats continue to successfully deliver payloads or redirect unwary users to phishing sites.

Increased Adoption Begins in February 2024

The increase in adoption started in February 2024, when Google and Yahoo began requiring bulk email senders — defined as any company sending more than 5,000 email messages daily — to use DMARC. This move was aimed at improving email authentication and reducing the risk of phishing attacks.

Current DMARC Adoption Rates

The email authentication standard uses two authentication specifications. However, only about a third of domains currently comply with strict DMARC requirements, according to Red Sift’s data. Despite this, Google’s Kumaran believes that DMARC adoption is a step in the right direction.

Benefits of DMARC Adoption

While none of these technologies solve the problem of malicious emails, they all provide companies and their email service providers with more reliable signals to filter out unwanted messages and potential attacks. According to Kumaran, DMARC adoption does not boil down to "authenticated mail is good, and unauthenticated email is bad." Instead, it provides confidence in the source of the message, allowing for better classification and protection of users.

The Role of DMARC in Email Security

"The idea is that authentication gives you confidence of the source of the message, and then you can start to do a better job of classification and actually providing protections to users," Kumaran says. "So I think it’s a very desirable behavior if 100% of attacks are actually authenticated, because it makes the job of protecting people — and gives those the folks working in defending — stronger signals on which to operate."