New report shows DMARC enforcement gap in NZ & Australia

A study conducted by SMX, a New Zealand-based email security specialist, indicates that the enforcement of the DMARC (Domain-based Message Authentication, Reporting and Conformance) protocol remains inconsistent among the largest public and private sector organisations in New Zealand and Australia. This inconsistency leaves many organisations vulnerable to spoofing, phishing scams, and other email-based cyber attacks.

Jamie Callaghan, SMX's Chief Security Officer, remarked, "Cyber security tends to focus on protecting a corporate perimeter but DMARC in enforcement mode also protects the people and organisations you do business with, ensuring they continue to trust emails from your domain." Callaghan emphasised the importance of protection given the statistic that "90% of cyber attacks emanate from email."

According to the fourth survey by SMX, Australian Federal Government agencies are the most diligent in operating DMARC in enforcement mode, while New Zealand Government domains are the least likely to be protected. The study analysed whether the local domains had deployed DMARC in a passive reporting mode or if they had activated the authentication protocol to quarantine or reject spoofed emails.

Chirag Joshi, Chief Information Security Officer and founder of 7 Rules Cyber, who also consults with SMX, noted, "Attackers will always zero in on organisations they see as weaker targets. If you are in a shrinking pool of potential victims, you will be more visible and likely to be attacked over time."

The study found that although 80% of New Zealand Government agencies had DMARC in place, only 33% were using enforcement mode, up from 21% in 2022. By contrast, 92% of Australian Federal Government agencies had deployed DMARC, with 79% demonstrating widespread enforcement, a significant increase from the previous year.

Private sector companies' email domains in both New Zealand and Australia were also analysed. Among New Zealand’s 100 largest companies by the number of employees with DMARC deployed, 64% were now in enforcement mode, showing an increase from 47% in 2022. Meanwhile, 60% of ASX-listed companies had deployed DMARC, but the enforcement rate had only marginally increased to 47% compared to 45% in 2022.

SMX manages over half a million inboxes across Australia and New Zealand. The report revealed that 47% of organisations sending emails to SMX customers, and who had deployed DMARC, were enforcing the protocol, an increase from 38% in 2022. Callaghan from SMX stressed, "DMARC should now be a standard part of every new domain rollout and managed services providers play an important role in educating their customers about the value of enforcement."

Joshi highlighted the risks posed by the increased acceptance of remote work, stating, "Compromised personal devices may lead to corporate security breaches. Small businesses cannot rely on their size to remain invisible and must also take steps to avoid being an access point into client or partner systems, especially for high-risk and high-value industries."

Callaghan advised that deploying DMARC could be “surprisingly straightforward in a simple environment,” urging small business owners to consult their IT support regarding the process.

The SMX study included several key findings. In enforcement mode, 33.1% of New Zealand Government agencies, 78.88% of Australian Federal Government agencies, 64% of New Zealand’s 100 largest companies by employees, 47.43% of ASX-listed organisations, 47.64% of companies sending to SMX customers, and 43.5% of SMX customers were protected. In report-only mode, 79.9% of New Zealand Government agencies, 92% of Australian Federal Government agencies, 80% of New Zealand’s largest companies by employees, 59.9% of ASX-listed organisations, 45.9% of companies sending to SMX customers, and 32.4% of SMX customers had deployed DMARC.

For this study, SMX analysed publicly available DNS records in May and June 2024 to identify whether DMARC was deployed and its status in either reporting or enforcement mode.