Only half of the Fortune 500 use DMARC for email security

When Homeland Security told all federal government departments last year to roll out a new email security policy to cut down on incoming spam and phishing emails, three-quarters of all federal domains were compliant by the time of their deadline just a few weeks ago.

That’s far more than what the Fortune 500 accomplished in the same period.

New data from Agari shows that just half of the Fortune 500 have deployed DMARC — or domain-based message authentication, reporting, and conformance policy. Email systems use DMARC policies to verify the identity of an email sender, ensuring that it’s not impersonating another domain. Depending on the DMARC settings, an email system can either monitor, quarantine or entirely reject spoofed emails, helping to cut down on the number of phishing emails that land in your corporate inbox.

The data shows 51 percent of the Fortune 500 — the world’s wealthiest companies — are now using DMARC. That’s an improvement from about one-third a year ago, but it still trails behind the federal government’s DMARC adoption.

But only 13 percent of those companies are employing a quarantine or reject policy — which actively intercepts spoofed emails and marks them as spam or bounces them from a user’s inbox altogether.

According to Agari’s breakdown: Aetna, American Express, Bank of America, Capital One, Facebook, Fedex, Microsoft, Netflix, PayPal, UPS and Wells Fargo ranked among the companies with the strongest DMARC policy.

Boeing, CBS, Discovery, Exxon Mobil, Frontier, JetBlue, NetApp, Time Warner Cable (Spectrum), Prudential, Viacom and Xerox are some of the worst contenders with no record whatsoever.

Agari, which has a commercial stake in the email security business, said that having a well-configured DMARC policy “cannot be overstated.”

Scammers often use spoofed emails to try to trick companies into sending back sensitive taxpayer information or other corporate secrets. Known as the “W-2 phishing scam,” legitimate-looking emails try to obtain W-2 tax forms of employees so that the scammers can file fraudulent forms during tax season in order to obtain hefty refunds. The FBI says these scams cost businesses $12 billion a year.

But DMARC is meant to weed out the bulk of those spoofed emails. According to Agari, one of its customers — a global e-commerce firm — was getting millions of impersonated emails per day, spoofing the company’s “from” domain to make it look like the real deal. After the company implemented its new DMARC policy to reject spoofed emails, the number went down by 99 percent.

“The damage from these attacks has ballooned into billions of dollars annually—however the real cost is the erosion of trust in digital business,” said Agari’s Armen Najarian.