Measuring the Economic Impact of DMARC

Business Email Compromise (BEC) has emerged as a rapidly growing threat, causing more financial losses than any other type of cyber threat according to FBI data. While the deployment of DMARC is known to be effective at limiting email spoofing, there has been a notable lack of research into its specific economic value. This paper bridges that gap by quantifying the loss avoidance realized by organizations that implement DMARC at enforcement levels.

The research focuses on the “Business Email Compromise” subset of email attacks, as these incidents typically involve high direct losses and reliable reporting. The analysis reveals that the value of DMARC scales rapidly based on human action rates; for example, at a conservative 1% success rate for attackers, a small group of organizations saved $19 million in a single year. This report rewards the click by deconstructing the “CFO error probability,” showing how even a 25% chance of a mistake at an average-sized company can lead to millions in losses.

Beyond direct financial gain, the study highlights critical non-security benefits, including improved brand protection and email deliverability. With less than 40% of U.S. banks utilizing DMARC as of early 2018, the research serves as a stark wake-up call. It provides the actuarial evidence needed to justify the implementation of DMARC as a core component of a modern trusted email program.

Key Findings

• $19M in Annual Savings: 1,046 organizations that implemented DMARC at “reject” or “quarantine” levels through GCA tools avoided an estimated $19M in BEC losses in 2018.
• 136% Surge in BEC Losses: Global exposed losses from Business Email Compromise increased by 136% between December 2016 and May 2018.
• The 1-in-100 Action Rule: Even if only 1% of BEC emails result in a successful attack, the potential for loss reduction across the internet remains a “big number” in the hundreds of millions.
• The High-End Risk Bracket: Average-sized companies with a 25% chance of a high-level executive mistake face probable losses between $8,800 and $4.7 million.
• Bank Adoption Lag: Despite the clear risks, as of Q1 2018, less than 40% of U.S. banks were using DMARC.
• Deliverability Gains: Large-scale implementations, such as that of Aetna, prevented 60 million fraudulent messages annually while improving legitimate email click-through rates by 10%.