ThreatList: DMARC Adoption Nonexistent at 80% of Orgs

Standard email authentication to prevent spoofing and phishing remains elusive for most.

About 80 percent of company web domains don’t have standard email authentication protections in place.

That’s according to 250ok’s Global DMARC Adoption 2019 report, which analyzed 25,700 domains in the education, e-commerce, legal, financial services, SaaS and nonprofit sectors, as well as the Fortune 500, U.S. government and China Hot 100 sectors. The firm found that the majority lacked Domain-based Message Authentication, Reporting and Conformance (DMARC) policies; DMARC is considered the industry standard for email authentication to prevent attacks where adversaries are sending mails with counterfeit addresses.

By implementing DMARC, companies lower the odds of their domains being spoofed and used for phishing attacks.

“Given the information available on the risks associated with leaving your domain unprotected, it’s shocking the number of brands that still don’t understand the importance of DMARC,” said Matthew Vernhout, director of privacy at 250ok, in the report. “Until we reach a place where email receivers require proper authentication on all emails, including DMARC implementation, the onus is on brand leaders to keep their customers and employees safe from phishing.”

DMARC policies are designed to be incremental, from a simple reporting-only system to a strict policy where messages failing authentication are rejected without being delivered or seen by the intended recipient.

To start, companies receive daily aggregate reporting from ISPs detailing a number of items, such as the number of messages they’ve seen using their domains, how many messages passed or failed authentication and the authentication results of the mail.

The next step is the quarantine phase, where any mail failing authentication be routed to the spam/bulk/junk folder. And for the most secure set-up under DMARC, organizations can choose to use a reject policy, to stop mail that fails authentication from even being accepted by the receiving mail systems.

Overall, the report found that about a fifth (20.3 percent) of domains have some level of DMARC policy in place, and out of those, just 6.1 percent have enacted a reject policy.

On a sector-by-sector basis, for the second year in a row, Chinese companies turn out to be the least likely to adopt any DMARC policy, with 93.5 percent of domains having no policy in place, according to the report. Nonprofit organizations are also far behind in DMARC adoption (91.4 percent have no policy in place), even though they continue to hold a significant amount of personal data. These sectors also had the smallest increase of overall DMARC adoption from 2018 to 2019, with only 1.9 percent and 2.8 percent increases, respectively.

Other notable findings include the fact that only 23 percent of companies in the Fortune 500 have some form of DMARC policy despite being the largest firms in terms of revenue. The travel industry is also well behind overall averages with 86 percent of all domains having no policy in place and only 1% having a reject policy.

In the plus column, the executive branch of the government leads all verticals with 81.5 percent of all its domains enacting a reject policy. And the the SaaS 1,000 is the best non-public vertical surveyed, with about half (54 percent) lacking a policy.

The report also found that law firms had the greatest increase in overall adoption from 2018 to 2019, with a 19 percent increase. European and U.S. retailers had the second and third greatest increases with 14.8 percent and 12.5 percent overall adoption respectively.

Drilling down on a more granular level also reveals bright spots at individual firms, however.

“On average, we see a significant portion of those studied not publishing any type of DMARC record,” according to the report. “While this looks bleak, many of the individual industry groups monitored performed significantly better than the overall averages suggest.”

Interested in more on patch management? Don’t miss our free Threatpost webinar, “Streamlining Patch Management,” now available on-demand. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Click here to listen (registration required).

Suggested articles

Google Analytics Emerges as a Phishing Tool

Web analytics help phishers hone their attacks — but website defenders can also use these tactics to better detect the scope of attacks and mitigate their effects.

Discussion

  • Brian on

    Did you know that Office 365 treats quarantine and reject policies the same way for inbound mail? It marks them all as spam instead, to prevent mail from being sent to the void with no chance of retrieval. Quarantine policy is much better than reject for this reason overall!
  • Bill Keptical on

    Both my domains are set to 100% reject with strict SPF (-all) records, plus DKIM. If an email does not meet my SPF, I do not want it delivered. I honestly can't see why anyone would.
  • Trevor Hardy on

    Sadly the world is full of devices and applications that don't play nicely with mail authentication, making DMARC a nightmare to implement. We try to implement it wherever possible, however testing at most sites reveals that it will simply break too many systems. Just as a simple example of what we came across last week, trying to configure a UPS SNMP card for email reporting, we ended up having to fall back to unencrypted mail over port 25 because neither SSL nor TLS would connect successfully to any mail servers we tried. If DMARC was connfigured properly for that domain those messages would just get blackholed, so we constantly have to use workarounds like using alternative domains for hardware systems. Even Outlook is something of a nightmare, as older versions have poor authentication (so systems such as Gsuite actively block it). Doing DMARC properly really takes a ground-up approach, whether starting from scratch choosing systems that fully support current authentication standards or going back to a complete redesign and being willing to wipe out legacy systems. That's no small task for existing businessses, and it's extremely difficult to get management buy-in for something they see utterly no value in.

Leave A Reply to Bill Keptical Cancel Reply

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.