DMARC adoption among .org domains doubles but remains low
A new study has indicated a significant increase in the adoption of the DMARC (Domain-based Message Authentication, Reporting, and Conformance) security standard among .org email domains over the past year. According to research conducted by EasyDMARC, the usage of DMARC has more than doubled among charities, rising from 3.98% to 7.78% between March 2023 and March 2024.
Despite this growth, the research highlighted that less than one in ten charity domains currently employ basic protections against phishing and spoofing. This leaves many organisations vulnerable to email-based cyber threats. The study analysed a data set of 9,935,024 verified .org domains, shedding light on the current state of email security among non-profits.
DMARC plays a crucial role in detecting and preventing email spoofing, a common method used in phishing attacks. Effective implementation of DMARC can significantly reduce the risk of such attacks by either preventing the delivery of unauthenticated emails or diverting them to the junk folder. While the protocol has been available for over a decade, the study suggests that the majority of non-profits have yet to fully utilise its potential.
There has been notable progress towards implementing more stringent policies among organisations that have adopted DMARC. The percentage of those employing rejection (p=reject) or quarantine (p=quarantine) policies increased from 45% to over 50% within the study period, reflecting a growing commitment to better email security.
The research also pointed out that over half of the domains with DMARC configurations lack RUA (Reporting URI of Aggregate Reports) tags, which are essential for monitoring and reporting purposes. This finding implies that the rise in DMARC adoption may be largely attributed to the recent email authentication regulations imposed by Google and Yahoo rather than a proactive cybersecurity stance from the organisations.
Gerasim Hovhannisyan, CEO and Co-Founder of EasyDMARC, commented on the substantial growth in DMARC adoption among non-profits. He noted that non-profits, which predominantly use the .org domain, are now compelled to implement DMARC to ensure their emails are delivered to recipients' inboxes in compliance with the new Google and Yahoo policies.
While the progress in adopting DMARC and more secure policies is encouraging, Hovhannisyan emphasised that much work remains, as 92% of .org domains still lack basic DMARC protections. The ongoing adjustments in email security protocols highlight the need for non-profits to stay vigilant and proactive in fortifying their defences against phishing and spoofing attacks.