Recently released statistics by e-mail security and authentication service provider Valimail tell us that ~2% of e-mail communications worldwide are deemed “potentially malicious” because they’ve failed DMARC testing (domain-based message authentication, reporting and conformance) and also don’t originate from known, legitimate senders.
That’s a small percentage — seemingly trivial. But considering the volume of e-mail messages sent every day, it translates into nearly 6.4 billion e-mails sent every day that are “fake, faux and phony.”
Interestingly, the source of those fake e-mails is most often right here in the United States. Not Russia or Ukraine. Or Nigeria or Tajikistan.
In fact, no other country even comes close to the USA in the number of fraudulent e-mails.
The good news is that DMARC has made some pretty decent strides in recent times, with DMARC support now covering around 5 billion inboxes worldwide, up from less than 3 billion in 2015.
The federal government is the biggest user of DMARC, but nearly all U.S. tech companies and most Fortune 500 companies also participate.
Participation is one thing, but doing something about enforcement is another. At the moment, Valimail is finding that the enforcement failure rate is well above 70% — hardly an impressive track record.
The Valimail study findings came as the result of analyzing billions of e-mail message authentication requests, along with 3 million+ publicly accessible DMARC records. So, the findings are meaningful and provide good directional indications.
But what are the research implications? The findings underscore the degree to which name brands can be “hijacked” for nefarious purposes.
Additionally, there’s consumer fallout in that many people are increasingly skittish about opening any marketing-oriented e-mails at all, figuring that the risk of importing a virus outweighs any potential benefit from the marketing pitch.
That isn’t an over-abundance of caution, either, because 9 in 10 cyber attacks begin with a phishing e-mail.
It’s certainly enough to keep many people from opening the next e-mail that hits their inbox from a Penneys(?), DirecTV(?) or BestBuy(?).
How about you? Are you now sending those e-mails straight to the trash as a matter of course?
Nones Notes 
I am acutely aware of phishing scams. I received an email from one of my vendors. It was one line of text with a document attached. It was not the usual way that he communicated with me, so I sent a separate email to him asking if he was the sender.
The scary thing was that I was communicating with the hacker when I received an affirmative response. A phone call confirmed my suspicions.
There are little behavioral things that we miss in personal communications from a known sender. My friend has his doctorate but never uses that title. When the valediction was followed by “Dr.”, I knew that it was not from him. Most people are not that cautious and can end up infecting their entire network.
If only all of that talent were put to good use!