How will CAC40 companies be using DMARC in 2023? After an initial article by JLO – adoption of DMARC by CAC40 companies - in July 2020 and a first update in December 2021, I'm sharing a new update with you in August 2023! I can already tell you that DMARC adoption has come a long way in 3 years! More in the article below...
A little reminder of the method of our analysis!
For this study - which began in 2020 - we analyzed the domains used by CAC40 companies in their internal e-mail communications (employee e-mail address domains or website domains). Domains used for marketing purposes are therefore not represented in this study.
For each area, we collected the following information:
- The DMARC record on the main ;
- The security policy for the main domain and subdomains ;
- The DMARC monitoring solution used ;
- Domain alignment policy.
This list of companies has evolved since the last update in December 2021! The following companies (EDENRED, ORANGE, PERNOD RICARD, PUBLICIS, RENAULT, SAFRAN) are currently in the 2023 ranking. No company has since left the CAC40.
| 2020 list (July) | List 2021 (December) | List 2023 (August) |
|---|---|---|
| ACCORHOTELS AIR LIQUIDE AIRBUS ARCELORMITTAL ATOS AXA BNP PARIBAS BOUYGUES CAPGEMINI CARREFOUR CREDIT AGRICOLE DANONE DASSAULT SYSTEMES ENGIE ESSILORLUXOTTICA HERMES KERING LEGRAND L'OREAL LVMH MICHELIN PSA GROUP SAINT-GOBAIN SANOFI SCHNEIDER ELECTRIC SOCIETE GENERALE SODEXO STMICROELECTRONICS TECHNIPFTM THALES TOTAL UNIBAIL-WFD VEOLIA ENVIRONMENT VINCI VIVENDI | AIR LIQUIDE AIRBUS ALSTOM ARCELORMITTAL AXA BNP PARIBAS BOUYGUES CAPGEMINI CARREFOUR CREDIT AGRICOLE DANONE DASSAULT SYSTEMES ENGIE ESSILORLUXOTTICA EUROFINS SCIENTIFICS HERMES KERING LEGRAND L'OREAL LVMH MICHELIN SAINT-GOBAIN SANOFI SCHNEIDER ELECTRIC SOCIETE GENERALE STELLANTIS NV STMICROELECTRONICS TELEPERFORMANCE THALES TOTAL UNIBAIL-WFD UNIVERSAL MUSIC GR VEOLIA ENVIRONMENT VINCI VIVENDI WORLDLINE | AIR LIQUIDE AIRBUS ALSTOM ARCELORMITTAL AXA BNP PARIBAS BOUYGUES CAPGEMINI CARREFOUR CREDIT AGRICOLE DANONE DASSAULT SYSTEMES EDENRED ENGIE ESSILORLUXOTTICA EUROFINS SCIENTIFICS HERMES KERING LEGRAND L'OREAL LVMH MICHELIN ORANGE PERNOD RICARD PUBLICIS RENAULT SAFRAN SAINT-GOBAIN SANOFI SCHNEIDER ELECTRIC SOCIETE GENERALE STELLANTIS NV STMICROELECTRONICS TELEPERFORMANCE THALES TOTAL UNIBAIL-WFD VEOLIA ENVIRONMENT VINCI WORLDLINE |
How will CAC40 companies adopt DMARC in 2023?
01. What is the use of DMARC among CAC40 companies?
Looking at the figures for 2020 and 2023, we can see that DMARC adoption has evolved considerably!
- Adoption up 25 points in 3 years ;
- 4 companies present in 2020 had still not deployed DMARC by August 2023.
We're approaching 100%! Out of 40 CAC40 companies, CARREFOUR (carrefour.com) ; LEGRAND (legrand.fr) ; SAFRAN (safran-group.com); SAINT-GOBAIN (saint-gobain.com) have yet to publish a DMARC registration on their main domain. Note that between 2021 and 2023, ORANGE (Telecommunications) has deployed DMARC on the orange.com domain!
02. What are the DMARC policies deployed ?
Among the 36 CAC40 companies that have deployed DMARC, the use of a restrictive security policy (REJECT or QUARANTINE) has grown considerably between 2020 and 2023:
- Adoption of a restrictive safety policy REJECT or QUARANTINE : + 37 points ;
- Adoption of safety policy REJECT 38 points.
Today, 61% of CAC40 companies have deployed a restrictive DMARC policy, whereas in 2020, only 24% had passed this milestone! On a positive note, the use of p=reject is no longer necessarily a taboo subject, since its use has risen from 12% in 2020 to 50% in 2023.
Using the DMARC security policy will enable you to define an action to be applied to an e-mail in the event of non-compliance. Even if today not all ISPs / Webmails / Companies interpret DMARC security policies, major ISPs (Gmail, Microsoft, Yahoo, La Poste, ...) do, and therefore protect you (and your users) from fraudulent use of your domain name! No mean feat ;)
03. What are the monitoring solutions useds ?
As in July 2020 and December 2021, 35% of DMARC feedback collection addresses point to internal addresses (category " INTERNAL "in the graph), which does not allow us to identify the DMARC monitoring solution used. What's more, it's highly likely that, in some cases, these feedbacks aren't even monitored properly, and that others are redirected to commercial solutions.
Need help?
Reading content isn't everything. The best way is to talk to us.
Another important point, PROOFPOINT is still the main DMARC monitoring tool in use, which is logical since their solution is still widely used by leading French companies in their fight against spam (as I've noticed on analyses of BtoB domain blockings).
A number of new solutions have joined the ranks, including DMARC ADVISOR or DMARC ANALYSER. Note that only 2 companies have not declared the RUA tag (and therefore do not track it): BOUYGUES and WORLDLINE.
Setting up DMARC will enable you to receive reports from numerous messaging services (ISPs, companies), giving you a precise view of the activity of your main domain and its sub-domains. These reports will enable you to check authentication levels (with SPF & DKIM) and their alignment. They will also enable you to detect legitimate e-mail flows that have been misconfigured (and thus correct them), and to detect non-legitimate e-mail flows (e.g. phishing).
MAJ of good and not so good students!
In 2023, there aren't really any big surprises! Here's a list of the best and worst performers:
- Super Good Student: TOTAL ' Total has implemented a DMARC policy at REJECT for its domain and subdomains with SPF and DKIM alignments at STRICT.
- Le Bon élève : ENGIE ' Engie has deployed a DMARC policy at REJECT for its domain and subdomains with DKIM alignment at STRICT.
- Les Mauvais élèves : BOUYGUES, WORLDLINE ' They have deployed a DMARC record with a policy of NONE on their domain, but they don't monitor flows!
- Super Bad Students: CARREFOUR, LEGRAND, SAFRAN and SAINT-GOBAIN ' None of these 4 companies has deployed DMARC registration!
I conclude...
After a year without an update, I admit I was expecting a few changes, but not to this extent... When I compare the figures from 2023 to 2020, I'm pleasantly surprised to see how far DMARC implementation has progressed (90% nonetheless). I've also noticed that many companies have taken the plunge and are now applying a REJECT policy (50%) to their domains (see sub-domains)... In short, a real awareness that reinforces the protection of domain names!
See you in August 2024 for a new MAJ and I hope this time to have more surprises 🙂
Badsender accompanies you in your DMARC deployment
The DMARC deployment is not to be done "lightly". It is more than just adding a new DNS record. Badsender accompanies its customers in securing their email flows via DMARC :
- Implementation of a DMARC monitoring solution configuration of domain names, creation of filters and dashboards in the monitoring tool, creation of automated alerts, etc.
- Email flow audit : authentication verification of the different flows, validation of the domain name alignment, detection of illegitimate flows, ...
- Compliance of the different email sources : teams' competence increase, validation of modifications made, ...
- Progressive transition to a policy=reject Once an acceptable level of compliance is reached, gradual transition to a rejection policy.
- Configuration of BIMI
The philosophy of Badsender is to bring you the tools, but especially the skills so that your teams can become autonomous on the subject of DMARC. After an active phase of DMARC deployment, we remain available if needed as dedicated support.
Feel free to share, like, comment... In short, make some noise !!!!!
The latest study conducted on the use of DMARC :
- 07/07/2020 : DMARC usage in CAC40 companies in July 2020
2 réponses
totalenergie.fr has been using DMARC.fr for the past 3 years, a solution that is gaining ground on the French market. It would be appropriate to mention it.
totalenergies.fr