The Research
New research has discovered that Indonesia has an extremely low phishing and spoofing protection rate. At the same time, cyberattacks in Indonesia are highly common.
Still, only 2,945, less than 3% of the total sample for Indonesian domains, are fully protected, i.e., flag, report, and remove outbound phishing emails.
The research conducted by EasyDMARC, an email authentication platform, examined 98,212 Country Code Top-Level Domains (CCTL) in Indonesia to evaluate the adoption rate of DMARC in the country.
The analysis indicated that only 12,251 (12.47%) domain owners had implemented DMARC at some point, while the remaining part of the sample remained vulnerable to cyberattacks.
Not implementing DMARC at a country level can lead to increased cybercrime, fraud, and weakened national cybersecurity. It can damage a country’s reputation, have economic implications, and erode trust in digital services. Implementing DMARC is crucial for protecting citizens, businesses, and the overall digital ecosystem, fostering a secure environment and promoting trust in online communications.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) helps businesses protect their brand reputation, build trust with their clients, and keep their customers happy. It nudges businesses toward better domain protection and reaching peace of mind. DMARC compliance prevents spoofing, phishing, ransomware, and business email compromise (BEC) attacks.
The Policy Distribution
EasyDMARC’s research showed that over half of 12,251 domains with DMARC were still on the ‘none’ policy. The ‘p=none’ configuration does nothing to protect the domain; it just informs the administrators about phishing and spoofing attempts.
While implementing DMARC monitoring (p=none) provides visibility into email authentication failures, it does not guarantee complete protection. Having a policy of “none” without taking further action can lead to consequences such as increased vulnerability to email spoofing and phishing attacks, potential damage to brand reputation, higher risks of email deliverability issues, and missed opportunities to enhance email security through policy enforcement.
Of the domains with DMARC, about 2,575 had the ‘quarantine’ policy set (21.02%), while the other 2,945 had the ‘reject’ policy (24.04%). The latter is the best way to ensure no phishing attack can get through into your customers’ inboxes and endanger your company name and client trust.
This Indonesian research was the first ever in EasyDMARC’s history of country domain analyses to have returned a result where the percentage of the domains with the ‘reject’ policy was lower than 3%. The high percentage of domains with ‘p=none’ shows some potential for DMARC adoption and improvement of cyberattack protection in Indonesia. However, this number is still bleak, considering the overall 12.47% of domains with DMARC.
“While the need for cyber protection is universal, protecting country-specific top-level domains is even more important. A lack of domain authentication in these domains will result in hacks among governmental organizations and local businesses, exposing them to highly sensitive and potentially costly data breaches. Without DMARC adoption, local companies will continue to see an increase in cyber events and subsequent disruptions and losses.”
Gerasim Hovhannisyan | Co-Founder and CEO @ EasyDMARC