ThreatList: DMARC Adoption Nonexistent at 80% of Orgs

Standard email authentication to prevent spoofing and phishing remains elusive for most.

About 80 percent of company web domains don’t have standard email authentication protections in place.

That’s according to 250ok’s Global DMARC Adoption 2019 report, which analyzed 25,700 domains in the education, e-commerce, legal, financial services, SaaS and nonprofit sectors, as well as the Fortune 500, U.S. government and China Hot 100 sectors. The firm found that the majority lacked Domain-based Message Authentication, Reporting and Conformance (DMARC) policies; DMARC is considered the industry standard for email authentication to prevent attacks where adversaries are sending mails with counterfeit addresses.

By implementing DMARC, companies lower the odds of their domains being spoofed and used for phishing attacks.

“Given the information available on the risks associated with leaving your domain unprotected, it’s shocking the number of brands that still don’t understand the importance of DMARC,” said Matthew Vernhout, director of privacy at 250ok, in the report. “Until we reach a place where email receivers require proper authentication on all emails, including DMARC implementation, the onus is on brand leaders to keep their customers and employees safe from phishing.”

DMARC policies are designed to be incremental, from a simple reporting-only system to a strict policy where messages failing authentication are rejected without being delivered or seen by the intended recipient.

To start, companies receive daily aggregate reporting from ISPs detailing a number of items, such as the number of messages they’ve seen using their domains, how many messages passed or failed authentication and the authentication results of the mail.

The next step is the quarantine phase, where any mail failing authentication be routed to the spam/bulk/junk folder. And for the most secure set-up under DMARC, organizations can choose to use a reject policy, to stop mail that fails authentication from even being accepted by the receiving mail systems.

Overall, the report found that about a fifth (20.3 percent) of domains have some level of DMARC policy in place, and out of those, just 6.1 percent have enacted a reject policy.

On a sector-by-sector basis, for the second year in a row, Chinese companies turn out to be the least likely to adopt any DMARC policy, with 93.5 percent of domains having no policy in place, according to the report. Nonprofit organizations are also far behind in DMARC adoption (91.4 percent have no policy in place), even though they continue to hold a significant amount of personal data. These sectors also had the smallest increase of overall DMARC adoption from 2018 to 2019, with only 1.9 percent and 2.8 percent increases, respectively.

Other notable findings include the fact that only 23 percent of companies in the Fortune 500 have some form of DMARC policy despite being the largest firms in terms of revenue. The travel industry is also well behind overall averages with 86 percent of all domains having no policy in place and only 1% having a reject policy.

In the plus column, the executive branch of the government leads all verticals with 81.5 percent of all its domains enacting a reject policy. And the the SaaS 1,000 is the best non-public vertical surveyed, with about half (54 percent) lacking a policy.

The report also found that law firms had the greatest increase in overall adoption from 2018 to 2019, with a 19 percent increase. European and U.S. retailers had the second and third greatest increases with 14.8 percent and 12.5 percent overall adoption respectively.

Drilling down on a more granular level also reveals bright spots at individual firms, however.

“On average, we see a significant portion of those studied not publishing any type of DMARC record,” according to the report. “While this looks bleak, many of the individual industry groups monitored performed significantly better than the overall averages suggest.”

Interested in more on patch management? Don’t miss our free Threatpost webinar, “Streamlining Patch Management,” now available on-demand. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Click here to listen (registration required).

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.