Fortune 100 DMARC Adoption – Revisited
dmarcian is dedicated to improving the reliability of the world’s email through wide-spread DMARC adoption by providing resources, education and deployment specialists. We find it useful to occasionally take stock of different metrics on how DMARC is being adopted.
In the first quarter of 2021, we took a look at DMARC adoption among Fortune 100 companies, an annual list compiled and published by Fortune magazine that ranks 100 of the largest United States corporations by total revenue.
We thought we’d check in on the Fortune 100 to see how they have progressed in the last year.
Here’s what we found:
From quarter 1 of 2021 to quarter 1 of 2022, we saw the following growth in DMARC deployment and policy enforcement among Fortune 100 companies—measured in percentage increase or decrease:
- 27% increase of DMARC policies set to p=reject
- 25% increase of DMARC policies set to p=quarantine
- 10% decrease of DMARC policies set to p=none
- 38% decrease of companies lacking a DMARC policy
With the ever increasing threat of domain impersonation, we were glad to see that these percentage changes from last year illustrate an overall improvement in DMARC adoption and DMARC policy advancement.
For many organizations, the first phase of DMARC deployment is a DMARC policy set to p=none; this monitoring policy sheds light on how a domain is being used across the internet while no constraints are placed on the domain’s email flow. This visibility includes known domain uses, like a company’s marketing email service provider that was properly vetted by the IT department; instances of Shadow IT, where a third-party resource is adopted without the knowledge of the IT department; and, finally, unauthorized use of a domain by bad actors.
From this initial monitoring policy, domain operators work to build their organization-wide domain catalog, identify all legitimate sending sources of email, and align the domain used for either a passing SPF or DKIM result to match the domain of the From header. Then an organization will advance the DMARC policy to p=quarantine and transition to p=reject as confidence is gained in identifying legitimate email sources.
If you need assistance with DMARC monitoring, deployment, or compliance, register for a free trial with us, and we’ll help you along the way.