Date of analysis: 21/07/2021

DMARC Adoption in Australia: 2021 Report

Australian businesses have lost $176.1 million to scams in 2020 alone, with 75% of these losses originating as a result of phishing attacks, which are now being deployed through fake emails. As we have been progressing into 2021, the amount of money lost from cybercrimes is only rising. Researchers have found that the financial damage from email-based attacks in Australia is predicted to grow by 46% over the next two years. Hence being prepared is not an option anymore, it is imperative!

Book a demo Start 15-day trial

Why Should Australia Consider Improving its DMARC Adoption Rate?

Assessing the Threat Landscape
BIMI Logo

To give a brief overview of what we are dealing with here, according to the Australian Competition and Consumer Commission’s Scamwatch, in 2020 alone businesses in Australia lost a whopping $176.1 million to cyber scams. It might come as a surprise, but the most reported type of scam was Phishing, with a steep rise in the frequency of attacks since 2019.  While Australians had reported 25,168 phishing attacks in 2019, the number of reported attacks rose to 44,084 in 2021 (up by 75%). From the findings of various surveys conducted in the past year, the most preferred delivery method for perpetuating the cyberattacks was email.

As of 2021, the huge rise in phishing schemes is a worrying trend that shows no signs of slowing. While any attack campaign can be used for any purpose, the low startup cost and high payout make it appealing to cybercriminals looking to make the most amount of money with the least amount of effort.

The above-mentioned statistics on the lack of email security in Australia raises some serious concerns:

  • What are the current situation of DMARC adoption and enforcement in organizations in Australia?

  • How can we improve the cybersecurity and email authentication infrastructure in Australia to mitigate impersonation attacks?

To gain better insight into the current scenario we analyzed 140 domains belonging to top businesses and organizations in Australia, from the following sectors:

The above-mentioned statistics on the lack of email security in Australia raises some serious concerns:

  • Energy
  • Education
  • Telecom
  • Healthcare
  • Transport
  • Banking and Finance
  • Media & Entertainment

What Do the Numbers Say?

An in-depth SPF and DMARC adoption analysis was conducted while examining all 140 domains, which led to the following revelations:

Graphical Analysis: Among all 140 domains examined that belong to various organizations in Australia, 132 domains (78.6%) possessed SPF records, out of which 22 domains (15.7%) had SPF records with errors. Only 79 domains (54%) had DMARC records out of which 6 of the domains (4.28%) contained errors. 54 domains had their DMARC policy set at none (39%), enabling monitoring only, while 25 domains (18%) had their DMARC policy level set at enforcement (i.e. p=quarantine/reject).

Sector-wise Analysis of Australian Domains

Energy Sector

DMARC Adoption Analysis of Domains in the Energy Sector
BIMI Logo
SPF Adoption Analysis of Domains in the Energy Sector
BIMI Logo

Key Findings

  • 45% of the domains examined in the Energy Sector had no DMARC record 
  • 25% of the domains had invalid DMARC records
  • 30% of the domains had invalid SPF records

Comparative Analysis of SPF Adoption among Different Sectors in Australia

BIMI Logo

The SPF adoption rate was found to be the lowest among companies in the energy sector in Australia, closely followed by media and entertainment, and telecom organizations. Australian banks were recorded to have the highest SPF adoption rate with 95% valid SPF records.

Critical Errors Organizations in Australia are Making

On analyzing 140 Australian domains from various sectors and industries, it is evident that organizations in Australia are making some critical errors that can jeopardize their online reputation and the safety of their clients:

  • Presence of Invalid SPF records

    While there were SPF records published in the DNS of a considerable number of Australian domains, a very high percentage of SPF records were invalid due to the presence of errors and misconfigurations. Invalid SPF records serve no purpose and are as good as having no record at all.

  • Lack of DMARC enforcement

    Another prominent finding from the examination of Australian domains was that while DMARC records existed for a large percentage of the domains, the maximum number of domains had their DMARC policy set to none, enabling monitoring only. DMARC enforcement was only observed among a very negligible number of domains.

    Note that a none policy provides zero protection against spoofing and phishing attacks. Only an enforced policy can provide immunity against impersonation.

  • Too many DNS lookups for SPF

    Since SPF has a 10 DNS lookup limit, exceeding the limit can lead to SPF failure during authentication. Australian domains showed a high percentage of invalid SPF records due to too many DNS lookups that can break SPF.

  • Multiple SPF records for the same domain

    The domain analysis also unveiled the presence of more than one SPF record for the same domain in some cases. However, each domain must possess only one SPF record for it to be considered valid.

Steps to be Taken for Improving DMARC Australia 2021

  • A very common mistake made by domain owners not just in Australia but around the world is that after implementing DMARC at their organization they keep the policy at none expecting their domain to be adequately protected against spoofing and BEC. However, only a policy of enforcement (p=reject/quarantine) can protect your domain against impersonation. Therefore the very first step to improving email security in Australia is to shift to DMARC enforcement.

  • Other crucial steps to improving the email security posture of Australian organizations are:

    a) staying under the 10 DNS lookup limit for SPF
    b) having error-free SPF and DMARC records
    c) Having a single SPF/DMARC record per domain
    d) Implementing additional layers of security like BIMI, MTA-STS, and TLS-RPT
    e) Monitoring your domains and sending sources to pick up on spoofing attempts and email delivery issues

How can PowerDMARC Help You in this Process?

To achieve a secure email ecosystem, DMARC/DKIM/SPF must be enabled in all gateways within the company. Everything within the company must use a single set of security standards to detect and prevent accidental and malicious email sending sources. PowerDMARC provides a full suite of email security services and hosted solutions that enable you to protect your brand reputation and customers against all sorts of email-borne threats.

  • Configuration: We help you configure your SPF, DKIM, and DMARC records, to ensure that they are valid and error-free.

  • Setup: As soon as you sign up for our DMARC trial we help you set up your DMARC dashboard, and you gain visibility instantly.

  • Monitoring: We monitor security incidents in email traffic 24X7 and control legitimate sending sources with alerts, reporting, and responsive actions.

  • Reporting: Daily Aggregate (RUA) and Forensic (RUF) reports help you keep track of all emails that are passing and failing DMARC from your domains.

  • Enforcement: We provide full DMARC enforcement (p=reject/quarantine) in record time.

  • PowerSPF: We allow you to always stay under the 10 DNS lookup limit and updated on any changes made by your ESPs in real-time.

  • Latest Authentication Protocols: We use the latest email authentication techniques such as MTA-STS, TLS-RPT, and BIMI, along with the standard protocols, to effectively mitigate all impending challenges in email security and authentication.

  • Managed Security Services: (MSP/MSSP) with a dedicated Service Desk to support your company’s DMARC implementation efforts and to monitor the email authentication health of your domain and the safety of your users.

Let’s join hands to increase the rate of  DMARC adoption and strengthen the email security infrastructure in businesses across Australia. Get in touch with us at [email protected] to find out how we can help protect your domain and business today!

secure email powerdmarcReady to prevent brand abuse, scams and gain full insight on your email channel?

Start 15-day trial Book a demo