We recently incorporated in Canada and established an instance of our platform to continue to help Canada-based organizations deploy DMARC and comply with the country’s data sovereignty regulations. We thought we’d take a look at DMARC adoption among the top 100 Canadian companies by market capitalization; at the time of publishing this research, this is what we discovered:

  • 45% had a DMARC record with a p=none policy
  • 35% had no DMARC record
  • 13% had a DMARC record with a p=reject policy
  • 7% had a DMARC record with a p=quarantine policy

First, the good news: 65% of Canada’s top 100 companies have a DMARC record on their top-level domain. Relative to other recent research we’ve published, this group sits between the Fortune 100 DMARC adoption rate of 77% and the top 100 global banks rate of 62%.

Of the 65% adoption rate for Canada’s top companies, only 20% had a DMARC policy at an enforcement level. This 20% recognizes the power of DMARC as a domain management control that allows an organization to keep an eye on their email flows and restrict its usage to only legitimate senders.

The other 80% had either no DMARC record (35%) or a DMARC policy at p=none (45%), which is the initial monitoring policy during DMARC deployment. That’s the not-so-good news because these companies’ domains are not secured from email spoofing and the resulting losses.

In looking deeper into domains that lack a DMARC record or that have a DMARC record with a p=none policy, we discovered at the time of publishing this article that Scotiabank had 154 phishing webpages detected and CIBC had 26. You can see below that these phishing webpages were created by bad actors to look exactly like an actual bank login page and were used as the call-to-action in a phishing email to deceive customers into providing account credentials and Personally Identifiable Information. These phishing pages are examples of how organizations are at risk using a p=none policy or no DMARC record at all because they get heavily targeted with phishing campaigns.

CIBC phishing page image
scotiabank login phishing page image

These phishing pages are examples of how organizations using a p=none policy or no DMARC record at all are at risk of being heavily targeted with phishing campaigns.

Recognizing that email abuse is the main cause of network intrusion, the Canadian Centre for Cyber Security issued its Implementation Guidance: Email Domain Protection, which recommends deploying security measures like DMARC to protect domains by

  • Preventing the delivery of malicious messages impersonating your domain;
  • Disrupting the infrastructure used to send these malicious messages;
  • Deterring threat actors from attempting to spoof these protected domains in the future;
  • Improving the security of email recipients; and
  • Protecting the reputation of organizations whose brands are the target of spoofing.

With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul. Get in touch with us or give our DMARC Management Platform a complimentary test run. Our onboarding and support team will help you along the way.

Want to continue the conversation? Head over to the dmarcian Forum