Date of analysis: 24/07/2024

DMARC & MTA-STS Adoption in Malaysia: 2024 Report

2024 can be considered the year of email security revolution! Earlier this year, Google and Yahoo successfully rolled out their updated email authentication sender requirements making authentication mandatory for all senders. But the question remains, what pushed them to take such a drastic (yet necessary) step? 

With the introduction of AI, email-based attacks including phishing, spoofing, ransomware, and BEC are now more common than ever before. According to this article by Harvard Business Review, research conducted in 2024 showed that 60% of participants fell victim to artificial intelligence (AI)-automated phishing emails. The article further explains how AI has reduced the cost associated with launching such cyber attacks by 95% while increasing their success rates.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC is an email authentication security protocol that empowers domain owners to safeguard their domains from misuse, such as unauthorized usage, spoofing, and phishing attempts. By configuring your DMARC policy, you can reject emails that are not authorized and enable reporting to monitor email channels, identify sending sources, and review authentication outcomes.

MTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS is an email authentication protocol offering protection on the receiving end this time. It is designed to enhance the security of email communications by mandating the use of Transport Layer Security (TLS) during email transmission. This protocol helps protect email traffic from being intercepted through passive eavesdropping and prevents active man-in-the-middle attacks.

Assessing the Threat Landscape

According to Verizon’s 2024 Data Breach Investigation Report, it takes users less than 60 seconds to fall victim to an email phishing scam. This means that the damage is done before you have time to even think or act! This is why relying on users to do the right thing is never an option. Organizations must work together to improve their own email defenses. 

Kaspersky’s anti-phishing technologies identified close to 500,000 attempts to access phishing links on business devices in Southeast Asia in 2023. This was mostly associated with financial institutions and payment systems. The Payment Card Industry Data Security Standard (PCI-DSS) has therefore introduced their version 4 compliance mandates, making DMARC mandatory from 2025. 

In our Malaysia DMARC and Email Authentication Adoption Report for 2024, we will address the following major concerns:

In our Malaysia DMARC and Email Authentication Adoption Report for 2024, we will address the following major concerns:

  • What is the current situation of SPF and DMARC adoption and enforcement in organizations in Malaysia?

  • What is the current status of MTA-STS adoption among organizations in Malaysia?

  • What is the rate of DNSSEC enablement among Malaysian organizations?

  • How can we improve ‌the cybersecurity and email authentication infrastructure in Malaysia to prevent impersonation attacks?

  • Which industry sectors in Malaysia are the most vulnerable to email phishing and other cyberattacks?

  • How can organizations mitigate email-based threats?

To gain better insight into the current scenario we analyzed 974 domains belonging to top businesses and organizations in Malaysia, from the following sectors:

What Do the Numbers Say?

An in-depth SPF, DMARC, MTA-STS, and DNSSEC adoption analysis was conducted while examining all 974 Malaysian domains, which led to the following revelations:

Graphical Analysis: Among all 974 domains examined that belong to various organizations in Malaysia, 652 domains (66.9%) possessed correct SPF records, while 289 domains (29.7%) unfortunately had no SPF records at all. 385 domains (39.5%) had correct DMARC records, while 5 of the domains (0.5%) had DMARC records that contained errors. A vast majority of domains (584 domains making up 60%) had no DMARC record found. 170 domains had their DMARC policy set at none (17.5%), enabling monitoring only, while 138 domains (14.2%) had their DMARC policy ‌set at quarantine, and 77 domains (7.9%) had their DMARC policy set at maximum enforcement (i.e. p=reject)

Sector-wise Analysis of Domains in Malaysia

Healthcare Sector

Key Findings

  • 61.3% of domains had no SPF record
  • 15.5% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 79% of the domains
  • None of the domains in the Malaysian Healthcare sector had MTA-STS implemented
  • DNSSEC was disabled for 97.2% of the domains

Media Sector

Key Findings

  • 27.5% of domains had no SPF record
  • 18.8% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 63.8% of the domains 
  • MTA-STS wasn’t enabled for any of the examined domains 
  • DNSSEC was disabled for 95% of the domains

Government Sector

Key Findings

  • 8.8% of domains had no SPF record 
  • 24.6% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 21.1% of the domains 
  • None of the domains had MTA-STS implemented 
  • DNSSEC was also disabled for 57.9% of the domains in this sector

Telecom Sector

Key Findings

  • 15% of domains had no SPF record 
  • 23.6% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 48.8% of the domains 
  • None of the domains had MTA-STS implemented
  • 92.1% of the domains had DNSSEC disabled

Job Boards

Key Findings

  • 13% of the domains analyzed have no SPF record
  • 17.4% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 63.5% of the domains 
  • MTA-STS was not enabled for any of the domains in this sector
  • DNSSEC was disabled for 94.8% of the domains

Transport Sector

Key Findings

  • 18.6% of domains had no SPF record 
  • 15.3% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 53.4% of the domains 
  • 98.3% of the domains did not have MTA-STS enabled 
  • DNSSEC was disabled for 95.8% of the domains

Miscellaneous Businesses

Key Findings

  • 54.2% of domains had no SPF record 
  • 7.7% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 73.9% of the domains 
  • 99.3% of the domains had MTA-STS disabled
  • 96.5% of the domains had DNSSEC disabled

Banking Sector

Key Findings

  • 11.5% of domains had no SPF record 
  • 19.7% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 37.7% of the domains 
  • None of the domains had MTA-STS enabled 
  • DNSSEC was disabled for 88.5% of the domains in this sector

Education Sector

Key Findings

  • 11.8% of domains had no SPF record 
  • 23.7% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 55.9% of the domains 
  • 98.9% of the domains examined had MTA-STS implemented 
  • DNSSEC was also disabled for 90.3% of the domains analyzed

Comparative Analysis of SPF Adoption among Different Sectors in Malaysia

The SPF adoption rate was found to be the lowest in the Malaysian Healthcare sector. The highest rate of SPF adoption was noted in the Malaysian Government, Banking, Job Board, and Education sectors.

Comparative Analysis of DMARC Adoption among Different Sectors in Malaysia

Malaysia’s Healthcare, Miscellaneous Businesses, Media, and Job Boards sectors noted low rates of DMARC adoption. The highest rate of DMARC adoption was noted in the Malaysian Government and Banking sectors. A large percentage of organizations in all sectors had “none” DMARC policy implemented.

Comparative Analysis of MTA-STS Adoption among Different Sectors in Malaysia

99.6% of the domains in Malaysia among the 974 domains analyzed, did not have MTA-STS implemented. 

Comparative Analysis of DNSSEC Adoption among Different Sectors in Malaysia

92.3% of the domains in Malaysia among the 974 domains analyzed, had DNSSEC disabled for them.

Critical Errors Organizations in Malaysia Are Making

Through an analysis of 974 domains spanning various sectors and industries in Malaysia, we uncovered numerous critical mistakes made by Malaysian organizations and government entities, exposing them to potential security breaches.

How Can Organizations in Malaysia Improve Email Security?

How Can We Help You in this Process

Ensuring the security of your emails is paramount for organizations of all sizes. We understand the importance of safeguarding your communications from cyber threats. That’s why we offer a comprehensive suite of email and domain security solutions tailored to meet your organization’s needs.

Let’s join hands to increase the rate of DMARC & MTA-STS adoption and strengthen the email security infrastructure in businesses across Malaysia and Southeast Asia. Get in touch with us at [email protected] to find out how we can help protect your domain and business today!