#email #security #phishing #dns #spoofing

DMARC adoption in the nl TLD and why it matters

DMARC adoption in the nl TLD and why it matters

DMARC(Domain-based Message Authentication, Reporting and Conformance) can be a very good barrier against email-spoofing and has been around for a long time. Why doesn’t every domain use it?

Why look at DMARC?

DMARC is a standard that, when used properly, can defeat email spoofing.

DMARC is an extension of SPF and DKIM. These three combined do basic email authentication. You can validate that the domain used in the MAIL FROM- or Return-Path-header field is actually the sending domain. DMARC extends that validation to the From field of an email. The From field you see in your email client/app.

Using DMARC you can instruct receiving email servers to check that the email was actually sent by the domain it claims to be from and if the the sender can’t be validated you can tell the webserver to reject the email or put it in the SPAM folder.

You can also use DMARC to say do nothing when you detect that an email was spoofed. This can be usefull when first starting with DMARC but should only be used as a step while you work to get to the stage where you can reliably reject invalid emails without rejecting valid ones.

You might think not a lot of people would do this, but as we will see later it’s used a lot. Which basicly is no better then having no DMARC.

You want to make spoofing of your domain impossible.

When your domainname is used in email you want that to be valid emails only.

When people that shouldn’t use your domain name that is mostly with bad intentions. They abuse your email addresses so that people trust these emails when they shouldn’t. They can’t tell the difference from an actual email from you.

They send all kinds of scams and phishing emails abusing your name. This may directly impact your business with for instance compromised accounts or direct financial damage. Additionally it will have a negative impact on your reputation.

If more domains use DMARC effectively the number of domains that criminals can abuse decreases, making phishing and other scams harder and less lucrative.

By not using DMARC properly we are making life for phishers too easy. That’s why they keep doing it. It’s easy and it works. Email spoofing is part of why it works.

NL stats on DMARC from the source.

SIDN is the organisation managing the .nl TLD.

You can get lists of nl domains from various places but because SIDN keeps the data closed they are almost always incomplete.

So getting the data from SIDN is probably the most reliable you are going to get.

You can find all kinds of domain related data for the nl TLD. It also includes email related data.

Most interesting

I checked data for May 1st 2026, at that time there were 6.081.616 registered nl domains.

Of those 82.74% has a dmarc record.

Just over 17% has not set a DMARC record. Not only does this open up your domain for abuse by others. You enable criminals to impersonate you and the receiver has no way of checking wether it was actually you. That’s why every domain should have DMARC record, even if you do not use that domain for email.

of the domains that have a dmarc record 40.50% have a record but say ignore dmarc. so no protection

22.67% say if you detect that this email is not authenticated(sent by my domain in way that you can validate) put it in the SPAM folder. at least it is some protection. but if you really want to target a specific org you can still do this and then call them about that email you sent, “did you check the SPAM folder?”

Only 37.03% of the nl domains uses the DMARC protection fully. That’s roughly just over 1 in 3 of the domains.

So only 1863323 domains enjoy the full protection DMARC provides, that’s about 30% of the nl domains. So 70% of these domains could be improved to make life harder for cyber criminals.

Why is this still not used?

DMARC has been around since 2012. After 14 years almost every email server has implemented this. What’s lacking is the configuration on DNS by the domain owners.

Possible explanations for the low DMARC adoption.

People are scared to change things about email what if it affects my reputation. They fear that real emails sent by them will also not arrive in the users inbox. In the long run this may actually damage your reputation as more and more parties will expect properly set up DMARC as Google and microsoft have already done for bulk senders.

People assume someone else does this because they outsourced their email server. But those parties do not control your DNS. Even if they do, they will not make changes by themselves because they don’t know everything to configure this correctly and when used wrong it will cause valid email getting rejected.

People have come to accepts phishing email spoofing because it has been around for so long. They assume it’s just there and can’t do anything against.

People are scared of by technical jargon and think because they may not know all about SPF, DKIM, DMARC and DNS that they cannot do this.

Lack of knowledge they just dont know. And it is not always easy to find out. Suppose you google on what to do about phishing most anwsers will not mention DMARC. So unless you start using specific terms like spoofing you will not find the solution DMARC provides.

Now what.

The goal 100% DMARC adoption, with prefereably p=reject or at least quarantine. None is not good enough. Then we can rely on the from field in emails to be actually reliable and trusted.

Start with the domains you own/control. Set up SPF, DKIM and DMARC. There are lots of resources on how to do that, for instance by Valimail.

Most important you need to know which servers/systems send email on behalf of your domain. This inlcudes websites sending password reset mails, support websites, systems sending marketing emails and whatever other emails you send. For most email domains this should not be too hard. if you have a complex email infrastructure then you probably also have a team dealing with this infrastucture, they should know how to setup DMARC.

(Check your DMARC status)[https://mxtoolbox.com/dmarc.aspx].

You have done your part.

You could also promote the use of DMARC with the parties you communicate with most often. If they use it it increases the trust you can have in their emails and you will not be phished by someone impersonating their email addresses.

This is not the holy grail in email security, there’s more to it than that, but it is an important step, that is relatively easy to set up.

Increase trust in email, while making life harder for cybercriminals start working. if your domains are not fully protected.