DMARC Policies of Fortune 100 companies

We at dmarcian are dedicated to improving the reliability of the world’s email through the wide-spread adoption of DMARC by providing tools, education and deployment specialists. We find it useful to occasionally take stock of different metrics on how DMARC is being adopted.

The Fortune 100 is an annual list compiled and published by Fortune magazine that ranks 100 of the largest United States corporations by total revenue. We thought it would be interesting to take a look at the DMARC policy of the corporations on 2020’s Fortune 100 as we begin 2021.

  • 13% had no DMARC policy
  • 49% had a DMARC policy set to none
  • 8% had a DMARC policy set to quarantine
  • 30% had a DMARC policy set to reject

We also reflected the number of reporting email addresses associated with the DMARC record (shown as units on the Y-axis), as we believe it is a good indicator of intent or work-in-progress in securing domains.

  • 13% had multiple email addresses receiving reporting 
  • ~16% of those with a policy set to none, or in monitoring mode, had multiple reporters. 

For many organizations, the first phase of DMARC deployment (policy set to none) is the first time they are seeing all of their domain assets in a cohesive overview. This includes both known uses, as well as instances of “shadow IT” (where a third-party resource is deployed by an internal department without the knowledge of the IT department) and of course unauthorized use. 

Often, an organization will enlist external help to supplement their own internal efforts to help advance their DMARC policy towards p=reject, which is reflected in having numerous recipients for their DMARC reporting.

If you need assistance with DMARC monitoring, deployment or compliance, register for a free, 14 day trial with dmarcian.