Date of analysis: 22/07/2024

Kuwait DMARC & MTA-STS Adoption Report 2024

Between 2022 and 2023, more than 20,000 Kuwait citizens were impacted by cybercrime, incurring over $160 million in costs. The Electronic and Cyber Crime Department at the Ministry of Interior in Kuwait has faced several challenges in addressing the need for data privacy and cybersecurity awareness in the country, especially since the rise of artificial intelligence (AI). 

Officials from the Kuwait Cyber Crime Department reported that cyber attackers targeted private firms and government institutions in Kuwait, to steal sensitive information. This highlighted the need to enhance cybersecurity in the country by implementing modern solutions and strategies.

Why Is DMARC & MTA-STS Adoption Important? 

DMARC and MTA-STS are both email authentication protocols designed to enhance the security of domain names. DMARC allows domain owners to authenticate messages sent from their domain, preventing phishing emails impersonating legitimate domains from reaching recipients. MTA-STS on the other hand prevents unencrypted messages from being delivered to your mailbox, ensuring a secure connection during email transfer. 

DMARC and MTA-STS play a pivotal role in email and domain security, preventing a variety of cyber attacks including phishing, spoofing, ransomware, business email compromise, man-in-the-middle, and DNS spoofing.

Assessing the Threat Landscape

Do you know how easy it is to get phished? Verizon’s 2024 DBIR report says – it takes less than 60 seconds! This means that if an email impersonating an organization’s domains reaches their clients – there is a 90% chance that the receiver will get scammed! This is why organizations need to take active measures to stop such emails from reaching their customers in the first place.

With more than 3.4 billion phishing emails sent every day, implementing email authentication has been made mandatory by even tech giants like Google and Yahoo.

In our Kuwait DMARC and Email Authentication Adoption Report for 2024, we will address the following major concerns:

  • What is the current situation of SPF and DMARC adoption and enforcement in organizations in Kuwait?

  • What is the current status of MTA-STS adoption among organizations in Kuwait?

  • What is the rate of DNSSEC enablement among Kuwait organizations?

  • How can we improve ‌the cybersecurity and email authentication infrastructure in Kuwait to prevent impersonation attacks?

  • Which industry sectors in Kuwait are the most vulnerable to email phishing and other cyberattacks?

  • How can organizations mitigate email-based threats?

To gain better insight into the current scenario we analyzed 400 domains belonging to top businesses and organizations in Kuwait, from the following sectors:

What Do the Numbers Say?

An in-depth SPF, DMARC, MTA-STS, and DNSSEC adoption analysis was conducted while examining all 400 Kuwait domains, which led to the following revelations:

Graphical Analysis: Among all 400 domains examined that belong to various organizations in Kuwait, 311 domains (77.75%) possessed correct SPF records, while 62 domains (15.5%) unfortunately had no SPF records at all. 165 domains (41.25%) had correct DMARC records. A vast majority of domains (234 domains making up 58.5%) had no DMARC record found. Out of the domains with DMARC implemented, 57 had their DMARC policy set at none (14.25%), enabling monitoring only, while 65 domains (16.25%) had their DMARC policy ‌set at quarantine, and 43 domains (10.75%) had their DMARC policy set at maximum enforcement (i.e. p=reject). Additionally, none of the Kuwait domains that were examined had MTA-STS or DNSSEC enabled.

Sector-wise Analysis of Domains in Kuwait

Healthcare Sector

Key Findings

  • 6.3% of domains had no SPF record
  • 6.3% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 68.8% of the domains
  • None of the domains in the Kuwait Healthcare sector had MTA-STS implemented
  • DNSSEC was disabled for all the domains

Media & Entertainment Sector

Key Findings

  • 31.4% of domains had no SPF record
  • 9.8% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 88.2% of the domains 
  • MTA-STS wasn’t enabled for any of the examined domains 
  • DNSSEC was disabled for all of the domains

Government Sector

Key Findings

  • 15.6% of domains had no SPF record 
  • 6.7% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 57.8% of the domains 
  • None of the domains had MTA-STS implemented 
  • DNSSEC was also disabled for all of the domains in this sector

Telecom Sector

Key Findings

  • 11.1% of domains had no SPF record 
  • 16.7% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 44.4% of the domains 
  • None of the domains had MTA-STS implemented
  • All of the domains had DNSSEC disabled

Transport Sector

Key Findings

  • 2.8% of domains had no SPF record 
  • 19.4% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 55.6% of the domains 
  • None of the domains had MTA-STS enabled 
  • DNSSEC was disabled for all of the domains

Financial Sector

Key Findings

  • 14.1% of domains had no SPF record 
  • 7% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 47.9% of the domains 
  • None of the domains had MTA-STS enabled 
  • DNSSEC was disabled for all of the domains in this sector

Education Sector

Key Findings

  • 11.4% of domains had no SPF record 
  • 28.6% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 42.9% of the domains 
  • None of the domains examined had MTA-STS implemented 
  • DNSSEC was also disabled for all of the domains analyzed

Energy Sector

Key Findings

  • 13.6% of domains had no SPF record 
  • 15.2% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 56.1% of the domains 
  • None of the domains examined had MTA-STS implemented 
  • DNSSEC was also disabled for all of the domains analyzed

Miscellaneous Businesses

Key Findings

  • 19.4% of domains had no SPF record 
  • 21% of the domains had their DMARC policy set at p=none
  • No DMARC record was found for 61.3% of the domains 
  • All of the domains had MTA-STS disabled
  • All of the domains had DNSSEC disabled

Comparative Analysis of SPF Adoption among Different Sectors in Kuwait

The adoption rate for SPF was the lowest in the Kuwait Media sector. The highest rate of SPF adoption was noted in the Kuwait Healthcare, Transport, and Education sectors.

Comparative Analysis of DMARC Adoption among Different Sectors in Kuwait

Kuwait’s Media and Healthcare sectors noted low rates of DMARC adoption. The highest rate of DMARC adoption was noted in the Kuwait Financial, Telecom, and Educational sectors. A large percentage of organizations in all industries had “none” DMARC policy implemented.

Comparative Analysis of MTA-STS Adoption among Different Sectors in Kuwait

The 400 domains analyzed in Kuwait, did not have MTA-STS implemented.

Comparative Analysis of DNSSEC Adoption among Different Sectors in Kuwait

The 400 domains analyzed in Kuwait had DNSSEC disabled for them.

Critical Errors Organizations in Kuwait Are Making

From the analysis, we uncovered several critical errors organizations in Kuwait were making when it came to implementing email authentication protocols and protecting their domain names. Let’s discuss them:

How Can Organizations in Kuwait Improve Email Security & Deliverability?

How Can PowerDMARC Help?

PowerDMARC is a one-stop solution chosen by businesses of all sizes to increase their email authentication adoption and deliverability easily! Our comprehensive platform offers the following features and benefits:

Let’s join hands to increase the rate of DMARC & MTA-STS adoption and strengthen the email security infrastructure in businesses across Kuwait and the Middle East. Contact us at [email protected] to find out how we can help protect your domain and business today!