"Just 1% of Dot-Org Domains Are Fully DMARC Protected"

According to security researchers at EasyDMARC, only 1.2% of nearly 10 million .org domains in circulation have fully implemented DMARC to mitigate the risk of phishing.  The researchers reviewed over 9.9 million verified .org email domains and found that just 376,497 (3.8%) had implemented the Domain-based Message Authentication, Reporting, and Conformance (DMARC) security standard.  The researchers noted that DMARC helps to prevent phishing by automatically flagging and blocking any incoming emails thought to be spoofed.  For it to be effective, organizations must set their systems to a “reject” policy which means any suspect emails are automatically blocked before they hit the recipient’s inbox.  A “quarantine” policy will allow the messages through but ensure they are directed to the spam folder, while “p=none” will let suspect emails straight through.  Unfortunately, the researchers noted that of the small 3.8% of global .org domains with DMARC deployed, 171,486 (45.6%) had been incorrectly configured, so the organization lacked visibility into received or blocked emails.  Additionally, of those with DMARC, over half (58%) had no policy, while 15% had selected a quarantine option.  The researchers stated that the top 100 .org domains by traffic fared a little better: three-quarters had DMARC, and around a quarter (27%) of these had set their policy to p=reject.  With .org primarily used by non-profits, the findings are a concern for the sector.  

Infosecurity reports: "Just 1% of Dot-Org Domains Are Fully DMARC Protected"