DMARC usage in CAC40 companies in July 2020

Discussed since 2012, formalized in 2015 (if you like, feel free to read the RFC 7489(the last Marc Levy on the beaches of Hossegor), we can't say that DMARC is a subject that unleashes the crowds. If the use of DMARC has progressed since 2015, its adoption still leaves something to be desired. So we took an interest in the 40 biggest French companies to check what precautions they take to secure their email flows.

Securing email flows

The main objective of DMARC is to secure email flows in order to avoid various forms of identity theft.

DMARC allows several things:

• Understand when a "legitimate" email flow is misauthenticated (we have an article dedicated to theemail authentication if you want to know more about the subject)
• Detect non-legitimate email streams that would attempt to impersonate you (or at least your domain name)
• Impose a policy (DMARC Policy) on email operators to handle emails with authentication concerns.

In recent years, and even more so in 2020, investing in DMARC has become absolutely essential. On the one hand, spoofing attempts (even in less financial areas), continue to increase. On the other hand, more and more messaging operators are using DMARC in their reputation mix.

To illustrate this last point, it's worth drawing a parallel with HTTPS. Today, if your website is not properly secured with HTTPS, you risk losing points. in your SEO strategyand therefore be demoted in Google, for example.

This carrot (or stick, depending on your point of view) has clearly moved the lines, since from 30% of sites using HTTPS in 2015, we have gone to about 80% in 2020.

With the future adoption of BIMI by Gmail (after Yahoo!), it is likely that DMARC adoption will increase quite rapidly in 2020 and even more so in 2021.

What figures do we have on DMARC usage worldwide?

Before moving on to our own figures and the use of DMARC within CAC40 companies, let's look at what figures we have at the global level.

There are some studies, but we will limit ourselves to two of them, the first one published directly on DMARC.org and the second on Mxtoolbox.

In both cases, the data collected stops at the end of 2019, so there may have been some changes since then. The idea is mainly to have a point of comparison before analyzing the CAC40 figures.

MXtoolbox's study is based on the companies in the ranking Fortune 500 and on the top 1000 websites in terms of traffic as ranked by Alexa.

On this first graph, we can see that 40 to 50% of the analyzed companies have no DMARC record at all and are therefore not able to detect authentication problems, nor to impose a DMARC policy.

However, there is a big difference between the two repositories regarding DMARC policy. Among Fortune 500 companies, only 17% have a "reject" or "quarantine" policy, while there are 28% in the Alexa top 1000.

The DMARC.org data is based on just over 1.8 million DMARC records (unfortunately we do not have an explanation of the methodology for selecting these domains).

Attention, in the graph below, only domains with a DMARC record are analyzed, so a conversion is required to compare the data with those of Mxtoolbox. We see here that 28% of DMARC records are in "quarantine" or "reject" policy in 2019, much less than in Mxtoolbox figures. This is probably due to the much larger volume of data analyzed.

One would think that technology companies (which are much better represented in the Alexa Top 1000 figures) would be better at securing their email flows.

What is the adoption of DMARC in CAC40 companies?

Methodological note: We analyzed the domains used by CAC40 companies in their internal email communications (domains of employees' email addresses), so some domains used for marketing purposes are not represented. For each domain, we collected: the DMARC record, the rejection policy, the subdomain rejection policy, the DMARC monitoring solution used, the domain alignment policy, the SPF record.

Presence of a DMARC record

Of the 40 domains analyzed, 65% have a DMARC record and 35% do not. Among the companies that do not publish any DMARC record, we can notice sensitive sectors such as finance (Crédit Agricole with the domain credit-agricole-sa.fr) or defense (Safran with the domain safran.fr).

DMARC Policy

Only 24% of companies publishing a DMARC registration actively protect their domains. If we take this figure to all CAC40 companies (including companies not publishing a DMARC registration), that's just 15%. These figures are lower than the international studies published by DMARC.org and MXtoolbox.

Which DMARC monitoring solutions?

Unsurprisingly, 31% of the DMARC feedback collection addresses point to internal addresses ("Unknown" category in the graph), which does not allow us to identify the DMARC monitoring solution used. Moreover, it is very likely that in some cases these feedbacks are not even monitored properly and that others are redirected to commercial solutions.

Not surprisingly, Proofpoint is identified as the main DMARC monitoring solution used by CAC40 companies. We had already seen in a previous study that Proofpoint is the solution most widely used by leading French companies in their fight against spam.

As a reminder, DMARC monitoring allows you to receive reports from certain messaging services concerning the DMARC compliance level of emails sent from a given domain and thus to verify the authentication level, the alignment of domains, to detect misconfigured legitimate flows and to detect non-legitimate flows.

The good ones... and the less good ones

5 companies are stand out positively with DMARC policies in rejection or quarantine:

• HERMES INTERNATIONAL
• LVMH
• VINCI
• SCHNEIDER ELECTRIC
• VEOLIA ENVIRONMENT

We even notice that the first 3, in addition to having a DMARC policy in reject, also have strict SPF policies. On the other hand, it is surprising to note that the most risky sectors (defense, technology, finance, ...) are absolutely not represented in this top 5.

4 companies are clearly problematic in their email security:

• SAINT-GOBAIN
• BOUYGUES
• CREDIT AGRICOLE
• ESSILORLUXOTTICA

In all 4 cases there are no DMARC records on the domains of these companies AND SPF records are a problem.

Conclusion

With only 15% of CAC40 companies actively protected by DMARC. We can see that there is still a lot of work to be done. On the one hand, to evangelize IT departments about the importance of securing email flows. But obviously, there is also a lot of technical work to be done in order to actively monitor DMARC returns and to switch to quarantine and rejection policies.

Badsender accompanies you in your DMARC deployment

The DMARC deployment is not to be done "lightly". It is more than just adding a new DNS record. Badsender accompanies its customers in securing their email flows via DMARC :

1. Implementation of a solution of DMARC monitoring configuration of domain names, creation of filters and dashboards in the monitoring tool, creation of automated alerts, etc.
2. Email flow audit : authentication verification of the different flows, validation of the domain name alignment, detection of illegitimate flows, ...
3. Compliance of the different email sources : teams' competence increase, validation of modifications made, ...
4. Progressive transition to a policy=reject Once an acceptable level of compliance is reached, gradual transition to a rejection policy.
5. Configuration of BIMI

The philosophy of Badsender is to bring you the tools, but especially the skills so that your teams can become autonomous on the subject of DMARC. After an active phase of DMARC deployment, we remain available if needed as dedicated support.

Photo by Jake Nackos on Unsplash