On May 23 and 24, the following events took place at the Cély Campus the 9th edition of the biggest French event dedicated to e-mail marketing, I am of course talking about theEMDAY. 2 "All Inclusive" days (I love this term :p) dedicated to e-mail marketing with the best French experts!
I had the opportunity to participate as a speaker in 2 workshops dedicated to deliverability 🙂 I also took the opportunity to attend the DMARC / BIMI conference (which I wanted to host originally :p) of Jerome Gays from Postmastery (thanks for the beer by the way Jerome that I should taste in the next days :p) and Laura Villevieille from HCL Solutions.
By the way, at the end of the conference, I told myself that I was going to analyze the DMARC & BIMI usages of the companies present at the event to see the level of configuration/security deployed... And to compare the results to the last 2 studies I had published a few months ago!
Methodology of our DMARC / BIMI analysis
For this analysis, I took the list of companies registered at EMDAY and retrieved their organizational domain. This allowed me to gather the following information:
- The DMARC record (if present),
- The security policy used,
- The DMARC monitoring solution(s) used,
- The BIMI record (if present).
The purpose of this analysis is only to know the uses of DMARC / BIMI. I will not be naming / naming any companies. If you would like my opinion on deploying DMARC/BIMI for your company, contact me 🙂
Moreover, I remain available if some companies need advice in the deployment of DMARC & BIMI.
List of companies participating in the event
To list the participating companies, I relied primarily on the event's Swapcard app. As for the organizational domain names of each company, I went to their website to find an address in the legal notice/GCM, at least for those I didn't know.
I put here the list of companies and their field that have been analyzed: List of companies participating to the EMDAY 2022
Note: If I forgot you or if the domain name mentioned is incorrect, please tell me 🙂
What are the uses of DMARC?
Of the 75 domain names analyzed, 43 have a DMARC record ! This represents 57% domain names analyzed. Thus, more thanone out of two companies that participated in EMDAY has deployed DMARC on its organizational domain name. On the other hand, almost onlyone out of two companies does not monitor the activity of its organizational area and may be a victim of spam/phishing without knowing it!?!
By way of comparison :
- The rate of deployment of DMARC in thehe CAC 40 companies are at 71% in December 2021.
- The deployment rate of DMARC in the TOP 100 E-Commerce (2019) is 75% in April 2022.
Other interesting points, of the 43 DMARC records deployed:
- 2 records are in error and must absolutely be corrected (PM sent).
- 20 DMARC records could be optimized by deleting useless tags/values!
Note If a tag is not declared, it will take the default value so there is no need to add it.
What DMARC policies are deployed?
Of the 43 DMARC records deployed, 10 records have a security policy at REJECT (p=reject), 13 records have a security policy à QUARANTINE (p=quarantine) and 20 records have a security policy à NONE (p=none). These results are quite interesting, more than half of the companies having deployed a restrictive policy (REJECT or QUARANTINE) are eligible for BIMI.
Need help?
Reading content isn't everything. The best way is to talk to us.
By way of comparison :
- The deployment rate of the policy REJECT at CAC 40 companies is 31% in December 2021, compared to 24% for a policy QUARANTINE and 45% for a policy NONE.
- The deployment rate of a policy REJECT at the TOP 100 E-Commerce (2019) is 36% in April 2022, compared to 13% for a policy QUARANTINE and 51% for a policy NONE.
What monitoring solutions are used?
47% of the addresses declared in the RUA tags are internal to the company. I'll be curious to know if these reports are just stored in these addresses or if they are checked & studied, and how often... If you want to share your experience on this topic, I'm a taker 🙂
Other interesting points to remember:
- 6 companies did not report any RUA tags and therefore do not retrieve / monitor any DMARC reports.
- 9 different solutions are usedsome of them don't seem to be suitable for monitoring...
- Proofpoint represents here only 5% of the solutions used while they were widely used in CAC40 companies (31%) and the TOP 100 E-Commerce (14%).
What are the uses of BIMI?
For those who did not attend the conference of Jerome & Laura during the EMDAY, Brand Indicators for Message Identification (or BIMI for friends) allows you (under certain conditions) to display your company's logo in some webmails (especially Gmail). I won't tell you more for the moment, we plan to make a white paper during this summer about BIMI, we'll explain you everything in it 🙂
On the 23 companies eligible for BIMIonly 4 have a BIMI record ! There is even a 5th one but its DMARC record is not eligible for BIMI (yes, I know... we will update it in the very near future... Oops I didn't say anything).
Unfortunately, out of the 4 companies that have deployed DMARC, only one actually has a valid registration, the other 3 have a non-compliant logo. On the other hand, no one has declared a VMC brand certificate (cf. Verified Mark Certificates).
To conclude this article on the use of DMARC / BIMI among EMDAY participants...
The results are rather encouraging even if I think there is, in my opinion, an effort to be made (perhaps consequent for some) on the deployment of DMARC, its parameterization and the "internal" monitoring solutions that are used. Having DMARC is good, monitoring its flows is even better 🙂
The point I find super interesting among those who have deployed DMARC is the mass use of a restrictive policy (53% have a REJECT or QUARANTINE policy)... Bravo !
As for BIMI, I am not too surprised by the low percentage of deployment since this authentication remains little known by the common man!
Note A little thought for Marine (who will recognize herself) for the time she spent trying to deploy a VMC certificate for her domain!
I'll be doing the exercise again on the next EMDAY (the 10th!), hopefully this time I'll be pleasantly surprised at the results I find. Until then, add or update your DMARC/BIMI records 😉
Note : If you would like to have my opinion on your DMARC/BIMI registration, 3 ways to contact me : Poker me on LinkedIn, PM me on Swapcard or mail me 🙂
2 réponses
Hello,
just to readjust the results of the quoted companies, for the Caisse des Dépôts, even if we learned at the EMDay that it was not the top, we currently use subdomains of caissedesdepots.email, and not caissedesdepots.fr ...
Sincerely,
Charles.
Hello Charles,
Thank you for this readjustment. Indeed, the domain mentioned is different from the domain used for the web, it can be confusing. On the other hand, the domain caissedesdepots.email has no active authentication protocol (anyone can use it), which puts the security of the domain at risk. If this domain were to be blacklisted for some reason, the subdomains you use would also be impacted. Be careful with this. Don't hesitate to contact us to learn more 🙂
Kind regards,
Sebastien.