DMARC on the rise while awaiting BIMI
Afnic has studied the adoption of SPF, DMARC, DKIM and BIMI on .FR domain names. DMARC deployment has doubled in the .FR zone compared to 2023.
The SPF, DMARC and DKIM methods are essential for protecting domain names against phishing attacks and improving e-mail deliverability.
Definition of SPF, DMARC, DKIM
As a reminder, here’s what these solutions mean:
SPF (Sender Policy Framework): SPF is an e-mail authentication protocol that allows domain name owners toindicate which mail servers are authorized to send e-mail on their behalf. This helps prevent spoofing by verifying that e-mails come from authorized sources.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to outgoing e-mails. This signature enables the recipient to verify that the e-mail has not been altered in transit, and that it comes from the specified domain name. This reinforces message integrity and authenticity.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC combines SPF and DKIM to offer additional protection. It enables domain name owners to define policies on how unauthenticated emails should be handled (e.g. quarantined or rejected). DMARC also provides reports on impersonation attempts, helping to monitor and improve e-mail security.
DMARC adoption has doubled in one year among .FR domain names
Between 2023 and 2024, AFNIC’s study on the subject found that 16.6% of domain names now publish a DMARC policy, compared with 7.8% in 2023.
This is a major step forward in the space of just one year.
Other entries are also on the rise, with 74.4% of .FRs with an SPF policy (versus 57.8% in 2023). In addition, 33% of .FRs have deployed DKIM, compared with 23.1% in 2023.
This meteoric rise can be explained by two private initiatives by two major Internet players: Google and Yahoo.
Since February 2024, senders of 5,000 or more messages per day to Gmail accounts have been required to authenticate outgoing e-mails via DMARC.
DMARC policies to apply
It’s worth pointing out that Google is not intransigent in this rule change. A simple DMARC policy of p=none is sufficient for Gmail and Yahoo. This means that in the event of unauthorized IP addresses, e-mails are still delivered.
AFNIC points out that there are three possible DMARC policies.
” The term p=reject in a DMARC policy means “?don’t let the message through”; the term p=none, conversely, means “?let the message through anyway” and in between is p=quarantine, which suggests quarantine, for example by storing the message in a “?junk?” subdirectory or queuing it for closer scrutiny.”
However, the AFNIC study notes a “sharp rise in DMARC adoption, which also goes hand in hand with a clear decrease in the proportion of p=none policies, mainly in favor of p=quarantine. As for p=reject, the increase is very slight for domains publishing a website, but more significant for domains without a website. “.
DMARC deployment for .FR domain names (Source : Afnic.fr)
AFNIC has identified 117,243 domains publishing a p=reject. This represents 2.99% of .FR domains, more than double the figure for 2023 (1.34%).
No BIMI without DMARC
DMARC’s growth can also be explained by the growing interest in BIMI (Brand Indicators for Message Identification).
BIMI is a recent standard that allows companies to display their logo next to their e-mails in recipients’ inboxes.
For a BIMI-supported messaging system to display the logo associated with the sender domain name, a DMARC policy is required. This must be strict, with p=quarantine or p=reject.
Since 2016, Solidnames supports organizations wishing to deploy SPF, DKIM and DMARC. This IT consulting mission, called DRUIDE at Solidnames has been performed dozens of times over the past eight years.
In 2022, Solidnames implemented BIMI for its main domain solidnames.fr. Since then, our company has also been offering IT support to organizations wishing to adopt BIMI.
Nevertheless, the use of BIMI remains confidential in the .FR zone. According to the AFNIC 2024 study, only 58 domain names (including solidnames.fr and a few customers) have the appropriate VMC (Verified Mark Certificate) for BIMI.
This market is shared between two American companies, DigiCert and Entrust.
States increasingly demanding DMARC policy while waiting for BIMI?
However, the adoption of DMARC and BIMI can be supported by a regulatory context that strongly encourages these uses.
Since then, many countries have followed this trend. In 2018, Saudi organizations were encouraged to use DKIM, SPF and DMARC as advanced phishing protection techniques to filter out fraudulent messages.
In 2022, the Irish public sector will be required to use SPF, DKIM, DMARC and TLS to enhance e-mail security.
The previous year saw more stringent applications. Dutch government agencies are required to implement DMARC, as well as DKIM, SPF. In Denmark, government entities must implement a DMARC policy of p=reject on all their domain names.
All these initiatives demonstrate that, all over the world, the structural problem of email and the ease with which it is possible to steal an identity is being tackled head-on.