- Of nearly 10 million .org domains globally, only 1.2% have full phishing protection with DMARC
- Globally, only 3.8% of .org domains report using DMARC in the first place
- Among the top 100 US .org domains by traffic, only 20 have fully implemented DMARC
21 March 2023 – Only 1.2% of .org domains globally have implemented measures to prevent email phishing, spoofing, and ransomware attacks. This figure rises to only 20% among the top 100 US non-profits .org domains by traffic.
New research from email security provider EasyDMARC reviewed a dataset of 9,935,024 verified .org email domains. EasyDMARC found that only 376,497 (3.8%) domains had implemented the Domain-based Message Authentication, Reporting, and Conformance (DMARC) security standard.
The DMARC standard enables the automatic flagging and removal of receiving emails that are impersonating senders’ domains, which is a crucial outbound phishing protection methodology. Despite the standard being over a decade old, this research indicates a widespread under-adoption of the standard among non-profits.
While there is a greater degree of DMARC adoption among the 100 most popular US non-profits by traffic, one in four still has not deployed the standard. Further, only 20% of the top 100 US .org domains have both deployed DMARC and implemented a ‘reject’ policy that automatically rejected emails impersonating a legitimate domain.
The research also signals a failure by the global non-profit sector to adequately configure DMARC when implemented. Among the small minority of the global .org domains tested that employ DMARC, 171,486 (45.6%) had incorrectly configured it. As a result, these organizations lacked visibility into any impersonating emails they received or blocked.
Globally among non-profit domains using DMARC, only 121,290 (32.2%) had implemented a ‘reject’ policy that automatically rejected emails impersonating a legitimate domain. Most domains employing DMARC had configured it to do nothing about impersonating emails, with 218,777 (58.1%) domains having no policy. 55,281 (14.7%) had configured DMARC to send impersonating emails into quarantine.
Gerasim Hovhannisyan, EasyDMARC CEO and co-founder says:
“Impersonating email domains is one of the main tools used in successful phishing, spoofing, and ransomware attacks. That’s why it’s so worrying to see our research indicate that only 1.2% of global non-profits have implemented domain authentication via DMARC, which remains the best way to curb this threat.
“With phishing and ransomware attacks rising dramatically, a widespread lack of domain authentication leaves the non-profit sector incredibly vulnerable to cyber-criminals. Without taking steps to rectify this, many charitable and philanthropic organizations are at risk of significant disruption and financial losses.”