A report by New Zealand-based email security company SMX has revealed significant gaps in the enforcement of the DMARC (Domain-based Message Authentication, Reporting, and Conformance) protocol among major public and private sector organisations in Australia and New Zealand.
These gaps are leaving many organisations susceptible to spoofing, phishing, and other forms of email-based cyber threats.
SMX’s chief security officer Jamie Callaghan (pictured) pointed out that DMARC enforcement is crucial for maintaining trust in email communications.
“Cybersecurity tends to focus on protecting a corporate perimeter but DMARC in enforcement mode also protects the people and organisations you do business with, ensuring they continue to trust emails from your domain,” he said, as reported by IT Brief, adding that email remains a key vector for cyberattacks.
Chirag Joshi, chief information security officer and founder of 7 Rules Cyber, who collaborates with SMX, explained that attackers tend to target organisations they perceive as less protected.
“Attackers will always zero in on organisations they see as weaker targets. If you are in a shrinking pool of potential victims, you will be more visible and likely to be attacked over time,” he said.
The report, which is the fourth of its kind by SMX, found that Australian federal government agencies lead in DMARC enforcement, whereas New Zealand government domains lag behind.
The study evaluated the extent to which local domains had implemented DMARC in a reporting mode or activated enforcement protocols to quarantine or reject unauthorised emails.
It found that 80% of New Zealand government agencies have implemented DMARC, but only 33% are using enforcement mode, an increase from 21% in 2022. In contrast, 92% of Australian federal government agencies have deployed DMARC, with 79% enforcing it – a significant improvement from the previous year.
The report also examined DMARC adoption in the private sector.
Among New Zealand’s 100 largest companies by employee count, 64% had adopted enforcement mode, up from 47% in 2022.
In Australia, 60% of ASX-listed companies had deployed DMARC, with a slight increase in enforcement to 47% from 45% in 2022.
SMX, which manages over half a million email inboxes across Australia and New Zealand, reported that 47% of organisations sending emails to SMX customers were enforcing DMARC, up from 38% in 2022.
Callaghan emphasised the importance of making DMARC a standard in new domain rollouts.
“Managed services providers play an important role in educating their customers about the value of enforcement,” he said.
Joshi addressed the cybersecurity risks associated with remote work.
“Compromised personal devices may lead to corporate security breaches. Small businesses cannot rely on their size to remain invisible and must also take steps to avoid being an access point into client or partner systems, especially for high-risk and high-value industries,” he said.
Callaghan encouraged small business owners to consult with IT professionals about deploying DMARC, noting that the process can be “straightforward” in simpler environments.
SMX’s analysis was based on publicly available DNS records from May and June 2024 to assess DMARC deployment and its status.
The SMX report aligns with findings from a broader survey conducted by global IT security company LogRhythm, which identified a disconnect between cybersecurity executives and customer confidence in the APAC region.
The 2024 State of the Security Team Research Report by LogRhythm, based on a survey of 1,176 cybersecurity professionals and executives, highlighted that while 85% of APAC security executives rate their cybersecurity defences as effective, 46% of companies have experienced issues with customer confidence. This has led over 90% of these companies to modify their cybersecurity strategies.
Artificial intelligence (AI) has been identified as a significant factor driving these strategic changes, with 77% of respondents citing its role in threat management. Compliance requirements and emerging cyber threats also contribute to these adjustments.
The LogRhythm report further noted a growing expectation for senior leaders to assume more responsibility for cybersecurity breaches. However, communication challenges persist between security teams and non-technical executives. Despite 90% of APAC cybersecurity teams believing they have the tools to communicate security status effectively, 59% reported difficulties in explaining specific security measures to non-technical executives.
In response to the evolving threat landscape, APAC cybersecurity budgets have increased, with 84% of respondents noting a rise in their company’s budget, exceeding the global average of 76%. Yet, many security teams struggle to demonstrate the impact of these investments, often focusing on breaches and risks rather than operational metrics like detection and response times.