New research published today by cloud email security and brand protection startup Redsift Ltd. has found that 33% of publicly listed companies are not ready for new bulk email sending requirements that come into place in February.

The new requirements, announced by Google LLC and Yahoo Inc. in October, require any company sending more than 5,000 email messages through Google and Yahoo to use Domain-based Message Authentication Reporting and Conformance technology. DMARC is an email validation system designed to protect email domains from being used in email spoofing, phishing scams and other cybercrimes by verifying a sender’s authenticity.

There are requirements for DMARC compliance — the ability to authenticate the domains emails are sent from, the ability to make it easy for people to stop receiving emails and the requirement that the emails are not spam.

In the words of the Red Sift researchers, the requirements sound easy enough, but a problem is arising with the domain authentication requirement. To comply, a company must set up a Sender Policy Framework and DMIK, or DomainKeys Identified Mail, an email authentication method that adds a digital signature to emails.

The researchers checked 70 million domains globally and found that more than 91% of email-sending domains have no DMARC record and would therefore fail the new Google and Yahoo requirements. Among publicly listed companies, 33% were found to have no DMARC record.

The lack of DMARC records among publicly listed companies varies depending on where. In the U.S., the figure was 6.5%, in Australia 10.8% and in the U.K. 14.6% versus Japan and South Korea, where the figure was 50%.

In terms of total compliance with DMARC, only 40% of global enterprises were found to likely pass the new requirements. As with the DMARC records, the number varied, with 75% of companies in the U.S. found to be likely to pass new requirements versus 2% in South Korea.

The researchers warn that businesses that send 5,000 or more emails a day need to ensure not only that they have a DMARC record in place but that they have SPF and DKIM in place as well.

“At Red Sift, we foresee these requirements from Google and Yahoo to be just the first step in ensuring that domains are fully authenticated,” the researchers write. “We foresee DMARC enforcement being the next logical step to the February 2024 requirements as those that meet the new requirements are essentially ready for DMARC enforcement.”

Image: DALL-E 3