Just 1% of Dot-Org Domains Are Fully DMARC Protected

Only 1.2% of nearly 10 million .org domains in circulation have fully implemented DMARC to mitigate the risk of phishing, a security vendor has claimed.

EasyDMARC reviewed over 9.9 million verified .org email domains and found that just 376,497 (3.8%) had implemented the Domain-based Message Authentication, Reporting and Conformance (DMARC) security standard.

DMARC helps to prevent phishing by automatically flagging and blocking any incoming emails thought to be spoofed.

Yet for it to be effective, organizations must set their systems to a “reject” policy which means any suspect emails are automatically blocked before they hit the recipient’s inbox. A “quarantine” policy will allow the messages through, but ensure they are directed to the spam folder, while “p=none” will let suspect emails straight through.

Read more on DMARC: Lockdown Hotel Bookings at Risk Due to DMARC Fail.

Unfortunately, of the small 3.8% of global .org domains with DMARC deployed, 171,486 (45.6%) had been incorrectly configured so that the organization lacked visibility into received or blocked emails, according to EasyDMARC.

Additionally, of those with DMARC, over half (58%) had no policy (p=none), while 15% had selected a quarantine option.

The top 100 .org domains by traffic fared a little better: three-quarters had DMARC and around a quarter (27%) of these had set their policy to p=reject.

With .org largely used by non-profits, the findings are a concern for the sector, argued EasyDMARC CEO, Gerasim Hovhannisyan.

“With phishing and ransomware attacks rising dramatically, a widespread lack of domain authentication leaves the non-profit sector incredibly vulnerable to cyber-criminals,” he added. “Without taking steps to rectify this, many charitable and philanthropic organizations are at risk of significant disruption and financial losses.”