Decoding the DMARC adoption wave in Ireland
Ever since Google and Yahoo rolled out new email-sending policies that mandate organizations that send bulk marketing emails every day to deploy DMARC (Domain-based Message Authentication Reporting and Conformance), organizations across the world have been quite proactive in meeting these new standards. The wave of DMARC adoption was such that over 800,000 new DMARC records were created by March 2024. And just like the rest of the world, organizations in Ireland also jumped on this bandwagon.
Compared to other European countries, Ireland needs to put in extra effort to make DMARC a more widely adopted protocol among organizations. The reason we say this is because, as of the first quarter of 2024, the DMARC support rate in Ireland is still 61%, whereas in Denmark, it is 76%. The reason Denmark’s adoption rate is so much higher than Ireland’s is that the former is largely driven by government mandates, whereas Ireland’s approach relies more on voluntary guidelines and recommendations. Let us delve deeper into this.
The reason behind the gradual implementation
It is safe to say that DMARC adoption in Europe has only been satisfactory, primarily because the status of DMARC deployment since the third quarter of 2022 has been below 60%. The reason this pace of adoption is quite low in European countries is the lack of uniform regulatory mandates across the continent. There are some countries, like the United Kingdom, Netherlands, and Denmark, that have to follow stringent regulations. Others, however, like Germany, Ireland, and Scotland, take it as nothing more than a “best practice”. They are not compelled to adhere to these guidelines
Since Ireland is one of the countries that has the option of skipping the DMARC implementation step in their email security strategy, most organizations don’t bother doing it. You’d be surprised to know that there has been hardly any progress in DMARC deployment since 2023. Last year, it was around 58%, and in 2024, it is around 61%. Apart from this, only 36% of the domains in Ireland have configured the DMARC strict policy. While it is not exactly disappointing, there’s still scope for improvement.
In Ireland, the Public Sector Cyber Security Baselines merely suggests the use of SPF, DKIM, DMARC, and TLS to make email more secure but do not make them compulsory. This is not the case with countries like Denmark and the UK, where it is mandatory for certain public and government domains to have a DMARC record in place. This does not mean that the Irish do not prioritize security; instead, they follow Europe’s GDPR guidelines to maintain privacy during email communication.
The status of DMARC adoption across sectors
Now that we have analyzed the DMARC implementation rate in Ireland with respect to the other European countries, let us dig deeper and analyze the adoption patterns across various sectors in Ireland.
According to a recent report, in the public sector, including government agencies and County Councils, around 53% have taken decisive action towards email security by adopting the “p=reject” policy. That means they’re actively blocking suspicious emails in which cyber attackers try to get access to the victim’s digital assets by posing as a trusted entity. While this looks promising, 40% of the domains in Ireland are still configured with DMARC at “p=none.”
This implies that they are just monitoring their email traffic but have no policies in place to offer protection. This shows that while reasonable efforts have been made, this sector still has a long way to go when it comes to ensuring safe email communication channels.
Coming to other sectors, things get even more diverse here. Half of the top Irish news outlets have adopted the policy “p=reject”, so in terms of email security, they are really doing well. On the other hand, 30% do not have any DMARC record, which exposes them to risks. As for the sports bodies in Ireland, the situation is really worrying. In this domain, around 90% of the sporting bodies either have no DMARC record at all or the ones that do have them incorrectly configured. It is only 10% that are protected with a “p=reject” policy.
The banking sector, however, is doing better in terms of DMARC adoption. Here, 46% of members have a “p=reject” policy, while 38% don’t have any DMARC records at all, which is certainly concerning considering how sensitive financial data is.
Takeaways from Ireland’s DMARC adoption journey
When it comes to maintaining the sanctity of your email infrastructure, you should think of email security and adherence to these global standards as a marathon, not a sprint. Since you’re in it for the long haul, make sure that you don’t rush into things for the sake of making it to the finish line. You must strategize and follow a slow and steady approach to keeping attackers at bay.