More than nine out of 10 listed companies are not using a domain-based message authentication, reporting, and conformance policy (known widely as DMARC) on their corporate domains, an email validation system used to verify the identity of an email sender, which protects against spoofed emails and phishing attacks.
That's according to a report by cybersecurity firm Agari, which said only 39 companies in the list of 500 firms have a policy that marks unauthenticated messages as spam or rejects them entirely.
Agari didn't name the companies that fared the worst in the report, but told ZDNet that several telecom and tech-oriented companies dominated the list of companies who applied the strongest levels of DMARC email security.
Amazon, Time Warner, Verizon, Visa, and Walmart are among the firms that mark unauthenticated messages as spam, while Adobe, Alphabet (Google's parent company), Facebook, Fedex, Microsoft, Netflix, PayPal, and Yahoo reject emails that haven't come from an authenticated domain.
"It is unconscionable that only eight percent of the Fortune 500, and even fewer government organizations, are protecting the public against domain name spoofing," said Patrick Peterson, Agari's executive chairman.
"Phishing and other forms of digital deception are preventable, and the first step is for our largest companies and organizations to deploy DMARC, a highly-effective open standard," he said in remarks.
It's not the first time that companies have been called out for not using DMARC across their organizations. The chief of the UK's National Crime Agency cybersecurity unit recently said that the protocol's widespread adoption would result in a "significantly reduced" spam problem.
But it's not just private corporations. Even government departments, like Homeland Security -- charged with protecting the US cyberspace, don't use the email validation system.
Sen. Ron Wyden (D-OR) criticized the department's policy in July, calling an implementation of DMARC "a no-brainer that increases cybersecurity without sacrificing liberty."
A month later, Homeland Security still hasn't rolled out DMARC.