Australasian Organisations Are Missing Out On DMARC Email Domain Protection - SMX Study
A study by SMX, the New Zealand email security specialist, shows that DMARC enforcement remains inconsistent among New Zealand and Australia’s largest public and private sector organisations, meaning many are vulnerable to spoofs, phishing scams and other email-borne cyber attacks.
“Cyber security tends to focus on protecting a corporate parameter but DMARC in enforcement mode also protects the people and organisations you do business with, ensuring they continue to trust emails from your domain,” says Jamie Callaghan, SMX’s Chief Security Officer. “Considering 90% of cyber attacks emanate from email, the largest and most prominent Australian and New Zealand domains should be leading the way in protecting their clients, customers and supply chain partners.”
SMX’s fourth survey identified which local domains deploy DMARC (Domain-based Message Authentication, Reporting and Conformance) in a passive reporting mode, and which have subsequently activated the authentication protocol to quarantine or reject spoofed emails. Out of all domains with DMARC deployed, those belonging to Australian Federal Government agencies are the most comprehensively operating in enforcement mode, while New Zealand Government domains are the least likely to be protected.
A consequence of greater adoption of DMARC is that those organisations not enforcing the protocol effectively will be at greater risk of attack.
“Attackers will always zero in on organisations they see as weaker targets. If you are in a shrinking pool of potential victims, you will be more visible and likely to be attacked over time,” says Chirag Joshi, CISO and founder of 7 Rules Cyber, who consults to SMX.
Despite most New Zealand Government agencies having DMARC in place (80%), just one third (33%) of these are using enforcement mode, up from 21% in 2022. By comparison, Australian Federal government agencies are close to achieving universal deployment (92%), and demonstrate widespread enforcement, (79%).
SMX also analyzed the email domains of private sector companies in New Zealand and Australia. Among New Zealand’s 100 largest companies by number of employees with DMARC deployed, 64% are now in enforcement mode, an increase from 47% in 2022. Sixty percent of ASX-listed companies have DMARC deployed but this cohort has made little progress in enforcing the protocol, reaching 47% this year compared to 45% in 2022.
SMX manages over half a million inboxes across Australia and New Zealand. Almost half (47%) of the organisations sending emails to SMX customers, and who have deployed DMARC, are now actually enforcing the protocol, an increase from 38% in 2022.
SMX believes that DMARC should now be a standard part of every new domain rollout and that managed services providers play an important role in educating their customers about the value of enforcement.
“Increased acceptance of working from home means that compromised personal devices may lead to corporate security breaches,” says Joshi.
Small businesses cannot rely on their size to remain invisible, and must also take steps to avoid being an access point into client or partner systems. This is especially true for those who serve high-risk and high-value industries.
“Fortunately, deploying DMARC can be surprisingly straightforward in a simple environment, and small business owners should talk to their IT support about beginning the process,” says Callaghan.
Key findings
Organisations with DMARC deployed and set to ‘enforce mode’:
- 33.1% New Zealand Government agencies (21.1% in 2022)
- 78.88% Australian Federal Government agencies (62.31% in 2022)
- 64% New Zealand’s 100 largest companies by employees (47% in 2022)
- 47.43% ASX-listed organisations (44.74% in 2022)
- 47.64% Companies sending to SMX customers (37.83 % in 2022)
- 43.5% SMX customers (34.2% in 2022)
Organisations with DMARC deployed in ‘report only’ mode:
- 79.9% New Zealand Government agencies (50.5% in 2022)
- 92.0% Australian Federal Government agencies (74.3% in 2022)
- 80.0% New Zealand’s 100 largest companies by employees (59.6%, 2022)
- 59.9% ASX-listed companies (29.5% in 2022)
- 45.9% Companies sending to SMX customers (4.7% in 2022)
- 32.4% SMX customers (14.2% in 2022)
Methodology
SMX analysed publicly available DNS records in May and June 2024 to identify whether DMARC is deployed and its status in either reporting or enforcement mode.