Executive Summary

Email fraud is the leading weapon with which hackers infiltrate networks. It’s not just a social engineering problem: There are technical controls, known as email authentication, that can help mitigate the email fraud threat, but only a tiny percentage of domain owners are taking advantage of them.

ValiMail’s analysis of the most popular 1 million global domains shows that most domain owners have not attempted to implement fraud protection through the latest and most complete form of protection, DMARC. Of those that have attempted DMARC, only 23 percent are actually achieving protection from fraud.

ValiMail attributes these shortfalls in adoption to the difficulty that domain owners have in fully implementing and maintaining DMARC and its underlying standards (SPF, DKIM), particularly in complex environments where companies use many different cloud-based email services (often without full knowledge of IT staff).

ValiMail’s 21-page report is the most comprehensive survey of the state of email authentication to date, with exclusive data on the vulnerability to email fraud of the most popular 1 million domains. Plus: Drill-downs into the vulnerability of key sectors, including the NYSE, NASDAQ, Fortune 500, banks, health care, technology, and Crunchbase unicorns.

Key Findings

  • One in five messages sent today is suspicious (i.e. it appears to come from a domain that has not authorized the sender).
  • 0.5% of the top million domains are protected from impersonation by email authentication.
  • 77% of domains that have deployed DMARC records remain unprotected from fraud, either through misconfiguration or by setting a permissive DMARC policy.
  • 76% of the world’s email inboxes support DMARC and will enforce domain owners’ authentication policies, if such policies exist.
  • Implementing email authentication would save the average company $8.1 million per year in cybercrime costs — $16.2 billion annually across the Fortune 2000.