The rise of DMARC: Why compulsory email authentication is growing

Over the last few years, cybercrime has grown exponentially and phishing has been the most popular method of attack, with an estimated 3.4 billion spam emails being sent daily. This has led to an increased need for email authentication to prevent domain spoofing, resulting in the adoption of Domain-based Message Authentication, Reporting and Conformance (DMARC) to mitigate this and other email-based threats. But when was DMARC first created and why has adoption risen in recent years?

DMARC is a global email authentication standard that interrogates and verifies the source of an email and ensures that every email received from a domain is the real thing. It allows organizations to see when cybercriminals are using their domain without authorization, while also helping to ensure that legitimate emails make it to the intended recipient’s inbox.

The work to establish DMARC as a global standard was started in 2011 by a group of high-profile organizations, including Google, Facebook, Yahoo! Mail, and PayPal to name a few. A draft DMARC specification was published in January 2012 and by March 2013 it was being circulated publicly.

This means that for over a decade, organizations and regulatory bodies have recognized a need for this global best practice, but it’s only in recent years that adoption has truly taken off. That’s because phishing attacks have grown by 150 percent per year since 2019 and in the last few years, the number of brand names that have been spoofed in phishing attacks has almost doubled.

By spoofing a trusted brand’s email domain, cybercriminals can create sophisticated emails that trick victims into installing malware or handing over sensitive information or money. This makes it unsurprising that organizations are increasingly looking to authenticate emails with DMARC to safeguard their brands against impersonation.

Encouragingly, the predicted Compound Annual Growth Rate (CAGR) of DMARC is 37.53% in the next five years and by 2028, the global market size is expected to reach $1.72 billion, up from only $254.56 million in 2022.

This is likely because organizations, regulatory bodies, and governments are now either strongly recommending the adoption of DMARC or making it mandatory, which will almost certainly contribute to a boost in the implementation of the protocol.

1. Google and Yahoo’s bulk sender requirements

From February 2024, Google and Yahoo began to monitor bulk email senders, ahead of their June deadline for organizations to implement DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and DMARC, if they send over 5 000 emails at once or within a 24 hour period, to Gmail or Yahoo addresses.

With some senders already seeing temporary errors for unauthenticated email, organizations need to prioritize having properly configured DMARC records. This will not only prevent cybercriminals from spoofing their domains and launching phishing attacks on customers, partners, employees, or any other stakeholders, but will also help ensure that legitimate emails are always delivered.

In 2022, almost 49% of emails worldwide didn’t make it to the inbox, and in 2023 that number is still shockingly high at almost 46%. Many of these are legitimate emails sent from a company’s domain, but because the organizations don’t have a DMARC policy in place, authentic emails are often marked as spam and never reach the intended recipient’s inbox. Now, Google and Yahoo have upped the ante, with sender rules aimed at preventing spam and ensuring user safety ​by​ mandating having a DMARC record​​​​.

So, no matter what email platform an organization uses, it needs to take the required steps to ensure uninterrupted delivery to Gmail and Yahoo users. Microsoft has also started issuing alerts in customer dashboards, warning users that they need to ensure authentication records are set or they will run into deliverability issues when emailing third-party accounts.

Although it’s true that Microsoft “​​does DMARC”, its two primary roles are to send reports and enforce DMARC, which isn’t sufficient for a domain owner to achieve DMARC compliance. Users who don’t yet have the right authentication in place should look to seamlessly integrate a ​comprehensive ​DMARC solution into their Microsoft 365 environment​ ​​to ensure full compliance​.

By spoofing a trusted brand’s email domain, cybercriminals can create sophisticated emails that trick victims into installing malware or handing over sensitive information or money. This makes it unsurprising that organizations are increasingly looking to authenticate emails with DMARC to safeguard their brands against impersonation.

2. Anti-phishing required and DMARC strongly recommended by PCI DSS v4.0

Version 4.0 section 5.4 of the Payment Card Industry Data Security Standard (PCI DSS), has made implementing anti-phishing mechanisms a requirement for any business that stores cardholder information and processes credit card payments. In its implementation guidance, the PCI Security Standards Council recommends anti-spoofing controls such as DMARC, to stop phishers from spoofing your domain. Organizations have until March 2025 to implement processes and mechanisms to detect and protect against phishing, or they could face fines and potentially even lose their right to process payments.

3. Governments across the world have made DMARC mandatory

Many countries have made DMARC compulsory for government departments. The UK led the charge in 2016 and other countries have followed suit in recent years, with Canada and Denmark being the latest to make having a DMARC policy mandatory. These governments have implemented these measures to safeguard citizens from phishing emails and false information and ultimately maintain the trust of the public.

All this has shone a spotlight on DMARC implementation as the simplest and most effective way to protect senders and recipients against domain spoofing. We expect to see the number of regulatory bodies and organizations making email authentication mandatory continue to expand.

The above mandates are necessary to safeguard your organization’s email environment from the reaches of cybercrooks, uphold client and stakeholder trust, as well as prevent customer and financial losses.

Embracing DMARC needs to be an organization-wide effort, as not having the correct email authentication standards in place impacts your ability to continue doing business. All departments need to have a firm understanding of how DMARC – or a lack thereof – affects their work:

1. Impersonation impacts customer trust and results in business reputation damage. This leads to customer losses, which directly impacts your bottom line.
2. Marketing, finance, and other departments often use third-party solutions to send out communications, so they need to work closely with their IT or security teams to help them understand which service providers are sending out legitimate emails using their company’s domain.

If an organization doesn’t have the right email authentication protocols in place as per Google and Yahoo’s new requirements, legitimate emails coming from service providers will be rejected or land in Spam folders, meaning important information may not be delivered to key stakeholders. And to add fuel to the fire, Google and Yahoo both count spoofed emails towards the cap of 5 000 emails allowed to be sent to their users in a day.

A comprehensive DMARC solution is essential to help​ing​ prevent fraudulent email activity or deliverability disruption as well as complying with the rules highlighted in this article. Sendmarc is a leading email security expert that provides seamless DMARC integration and threat detection that won’t disrupt your business’s email flow​​​​. We also offer detailed reports of who is doing what in your email environment. Being able to deliver these reports helps with compliance audits, as you’re able to prove you had full visibility into any changes made and that you had the right measures in place to prevent your domain from being spoofed.

Think your domain might be vulnerable? Test its risk here or contact us to see how we can ensure only real emails are delivered from your domain and in turn, help your business comply with new mandates.