Only 1.2% of .org domains globally have implemented measures to prevent email phishing, spoofing and ransomware attacks. This figure rises to only 20% among the top 100 US non-profits .org domains by traffic.
New research from email security provider, EasyDMARC, reviewed a dataset of 9,935,024 verified .org email domains. EasyDMARC found that only 376,497 (3.8%) domains had implemented the Domain-based Message Authentication, Reporting and Conformance (DMARC) security standard.
The DMARC standard enables the automatic flagging and removal of receiving emails which are impersonating senders’ domains, which is a crucial way to prevent outbound phishing and spoofing attempts. Despite the standard being over a decade old, this research indicates a widespread under-adoption of the standard among non-profits.
The research also signals a failure by the global non-profit sector to adequately configure DMARC when implemented. Among the small minority of the global .org domains tested that employ DMARC, 171,486 (45.6%) had incorrectly configured it. As a result, these organisations lacked visibility into any impersonating emails they received or blocked. Globally among non-profit domains using DMARC, only 121,290 (32.2%) had implemented a ‘reject’ policy that automatically rejected emails impersonating a legitimate domain. Most domains employing DMARC had configured it to do nothing about impersonating emails, with 218,777 (58.1%) domains having no policy. A total of 55,281 (14.7%) had configured DMARC to send impersonating emails into quarantine.