DMARC, Domain-based Message Authentication Reporting & Conformance, is a foundational email security technology that fights phishing, improves deliverability and increases brand trust and compliance. Since the introduction of DMARC in 2012, it has grown to become a fundamental domain security control and an email authentication standard across the world.
There are three DMARC policy levels that indicate a domain’s messages are protected by SPF and/or DKIM and instruct the recipient on what to do if neither is verified. The initial policy, p=none, does not offer protection but provides full visibility into domain usage without affecting email treatment. Stricter DMARC policies include p=quarantine that moves messages that fail DMARC to the spam folder and p=reject that does not deliver messages that fail DMARC.
In Ireland, the Public Sector Cyber Security Baselines standards[1], last revised in November 2022, provides guidance for the utilisation of SPF, DKIM, DMARC, and TLS when discussing email security in section 2.9; it does not currently mandate the implementation of these standards. In countries such as Denmark and our neighbour the UK, there is a mandate for certain public and government domains to have a DMARC record.
The European Commission publishes data[2] on DMARC adoption, most recently updated in Q1 2024. This data reveals that Ireland’s DMARC support rate is 61%, compared to Denmark’s 76%, which could indicate the effectiveness of DMARC mandates. Ireland’s DMARC strict policy support rate is 36%, while Austria’s is 47%. This data strongly suggests that adopting stricter DMARC mandates and policies could improve Ireland’s DMARC adoption rates.
Let’s take this opportunity to examine Ireland’s DMARC adoption across five particular sectors and verticals, and consider the interesting and mixed picture that emerges.
- Irish government agencies and County Councils : 40% had a DMARC record of p=none with 53% of members having a DMARC record of p=reject
- Top Irish news outlets : 50% at p=reject and 30% having no DMARC record
- Top Irish Sporting bodies : 90% had no DMARC record or the record needs attention and 10% was at p=reject.
- Banking Federation of Ireland Members : 38% had no DMARC record with 46% of members having a DMARC record of p=reject
- Legal firms in Offaly & Meath : 77% of this group do not have DMARC record and 7% was at p=reject.
Companies and organisations in Ireland enjoy several benefits when adopting DMARC:
- Combating Phishing: DMARC helps fight phishing at a time when email remains the primary attack vector in cybercrime. According to the Verizon Data Breach Report, 43% of all data breaches involve small- and medium-sized businesses. In Ireland, the Banking Federation of Ireland recently reported that SMEs lost 10 million euros to email-related scams last year[3]. Implementing DMARC ensures domain usage visibility and blocks unauthorised email senders, preventing malicious actors from impersonating the company’s domains and fully protecting their reputation.
- Regulatory Compliance: Many industries, governments, and regulations increasingly mandate DMARC. Standards such as PCI DSS (Payment Card Industry Data Security Standard) require stringent email security measures to protect customer data. The Digital Operational Resilience Act (DORA), an EU regulatory framework for the financial sector, also recognises DMARC as a mitigating factor.
- Email Reliability: DMARC is essential for ensuring that legitimate emails consistently reach their intended recipients and the primary control to observe and restrict email domain usage. During a successful DMARC rollout, organisations can catalogue the ownership of accounts, domains, and third-party tools and senders, improving overall email reliability.
- Improved Deliverability: Successful DMARC implementation can enhance email deliverability, especially with new requirements from Google and Yahoo. Starting February 2024, bulk senders who send 5,000 messages a day or more to these major mailbox providers must have a DMARC policy in their DNS.
It could, therefore, be argued that, notwithstanding recent cyber attacks, there is an even greater need, benefit, and urgency for adopting DMARC in Ireland at the strictest policy level of p=reject.
The good news for IT teams is that several free resources are available to help companies successfully navigate their DMARC journey. Successful DMARC implementation requires buy-in from leadership, including CISOs and finance teams concerned with data, compliance, and financial risk.
The first step you can take today is to check if your email domain is protected by DMARC.
[1] https://www.gov.ie/pdf/?file=https://assets.gov.ie/239834/8d5bd215-4a17-471d-a1be-2c7ae5ebabb6.pdf#page=null
[2] https://ec.europa.eu/internet-standards/email.html
[3] https://www.rte.ie/news/business/2024/0712/1459392-smes-lost-10m-through-email-related-scams-last-year/