DMARC Adoption among Australia’s Top 100 Companies – Revisited
In 2022, after launching our Australia data center and business unit, we took a look at DMARC adoption rates among Australia’s Top 100 Companies based on their revenue and primary domains. Two years later, we’re checking in on how those companies have advanced their DMARC policies and also analyzing a fresh list of Australia’s Top 100 Companies.
Australia’s Top 100 – DMARC adoption then and now
Following is the DMARC adoption and policy rate comparison for Australia’s top 100 companies, measured in percentage increase or decrease, from May 2022 to August 2024:
- 104% increase in p=reject policies
- 90% decrease in companies that had no DMARC record
- 32% decrease in p=none policies
- 23% increase in p=quarantine policies
Bravo Australia! These companies have made significant strides in adopting DMARC and advancing policy levels, especially with the over 100% increase in p=reject—the ultimate level of DMARC enforcement to stop domain abuse.
Another big change worth calling out is the 90% decrease in companies that lacked a DMARC record, with 98% of them now having a record. There’s no doubt that Google and Yahoo’s new sender requirements, which went into effect in February 2024, had a hand in encouraging organizations to establish DMARC records. In the future, Microsoft will be instituting DMARC sender requirements; we’ll let you know the details as soon as we hear about them.
The Australian Cyber Security Centre (ASD) has long been a DMARC advocate and developed a few DMARC guidances, including How to Combat Fake Emails, to help organizations protect their domains from being used by criminals to send fraudulent emails. Additionally, the ASD has required federal government branches to implement DMARC as part of its cybersecurity strategy, leading to increased adoption in the government sector.
We’ve been keeping track of organizations that require DMARC or offer DMARC guidance.
Australia’s New Top 100 Companies
Since it’s been a while since we pulled the top 100 list for Australia, we gathered a new list, again, based on revenue and primary domains.
Here’s what we discovered:
- 48% had a DMARC record with a p=reject policy
- 32% had a DMARC record with a p=none policy
- 16% had a DMARC record with a p=quarantine policy
- 4% had no DMARC record
Overall, 96% of these companies had a DMARC record, though 32% of the whole were at a p=none DMARC policy. The first policy typically applied in a DMARC project, p=none is a means of “turning on the light” to see how your domain is being used without impacting how your email is treated by email receivers like Google and Yahoo. It’s important to keep in mind that the p=none policy provides no protection but offers you the same visibility as the other, more restrictive DMARC policies of p=quarantine and p=reject.
A gap I find when talking to people is that they are not implementing DMARC across their entire domain catalogue.
Anastasios Kalfoglou, Director of dmarcian’s APAC Business Unit
Almost half of the 2024’s top 100 Australian companies were at a p=reject policy to protect their customers, employees, vendors and brand integrity from the potential damage and losses from domain spoofing. Sixteen percent of the companies had an enforcement policy of p=quarantine, which sends DMARC-failing email to the spam folder.
“In 2024 DMARC has evolved from a best practice, to a requirement for many. This will only continue to progress with expected announcements from other major email providers. I find that DMARC remains a very new concept for many people I talk to in Australia; thankfully, dmarcian’s easy-to-read knowledge base articles and initiatives, such as DMARC Academy, are helping Australians get up to speed,” says Anastasios Kalfoglou, Director of dmarcian’s APAC Business Unit.
“While the visibility DMARC provides stands out on its own, its true value comes from its effectiveness as a security control,” Anastasios continues. “Having said that, still almost half of the companies surveyed in 2022 are yet to have this control in place at p=reject enforcement. A gap I find when talking to people is that they are not implementing DMARC across their entire domain catalogue. This is also evident in the surveys we performed of Australia’s top 100 businesses. While you may not be using a secondary domain to send email, without DMARC, it does not stop a threat actor from taking advantage of your brand and sending malicious emails on your behalf.”
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum
