DMARC Adoption Spikes, Higher Ed Remains Behind

dmarc adoption summer 2020 email security

As colleges and universities prepare for the fall semester, email protections against surging threats like BEC and phishing are lagging.

Adoption of the email security protocol DMARC has continued to tick upwards, with the number of domains deploying DMARC records surpassing 1 million in the last two years — a 2.5 times greater total than in 2018.

That’s according to Valimail’s Email Fraud Landscape 2020 report, which also found that even with the increased uptake, the use of the strongest version of the email protection standard is still lagging.

A separate report from Tessian meanwhile shows lagging adoption is particularly true when it comes to higher education – an issue that’s in the spotlight as colleges and universities prepare for the fall semester and getting kids back into the classroom, either with remote learning or in-person.

DMARC (which stands for Domain-based Message Authentication, Reporting and Conformance) is an industry standard that ensures that emails are authenticated before they reach users’ mailboxes and confirms that they have been sent from legitimate sources. If configured correctly, potential phishing emails can be stopped at the gateway, or redirected to the junk folder – and it prevents address-spoofing.

DMARC policies are designed to be incremental, starting with a simple reporting-only system where companies receive daily aggregate reporting from ISPs detailing a number of items, such as the number of messages they’ve seen using their domains, how many messages passed or failed authentication and the authentication results of the mail. The next step is the quarantine phase, where any mail failing authentication be routed to the spam/bulk/junk folder. And for the most secure set-up under DMARC, organizations can choose to use a reject policy, to stop mail that fails authentication from even being accepted by the receiving mail systems.

Valimail found that while DMARC is widely supported, with 80 percent of all inboxes worldwide doing DMARC checks and enforcing domain owners’ policies on inbound messages —only 13.9 percent of all DMARC records are configured with enforcement policies that reject or quarantine non-authenticating email.

Crooks Put Schools to Test

DMARC adoption numbers course vary by industry and size. For instance, a full 40 percent of the top 20 universities in the United States lack proper DMARC protections, according to a recent analysis from Tessian. That led researchers to warn of phishing attacks that try and steal students’ valuable personal or financial information, along with intellectual property.

According to Tessian, out of the 60 percent of universities that do have DMARC in place, the DMARC policies have not been set up to quarantine or outright reject any emails from unauthorized senders using its domains.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” 

“Without DMARC records in place, or without having DMARC policies set at the strictest settings, hackers can easily impersonate a university’s email domain in phishing campaigns, convincing their targets that they are opening a legitimate email from a fellow student, professor or administrator at their university,” explained Maddie Rosenthal, researcher at Tessian, in a recent posting.

According to Neumann, DMARC adoption is moving fast for those that have decided to move to cloud-based platforms such as Office 365 – but universities are not typically among them.

“Companies that still run their own internal mail servers are prone to not implementing this simple feature and appropriately configuring DNS,” he told Threatpost. “Higher education tends to run its own email instead of outsourcing it.”

He added, “As a whole, higher education institution security tends to be horrible overall and is the easiest soft target on the web. Having DMARC configured would be up to the specific IT team to know what it is and implement. We have had multiple engagements with universities where spoofing domains with email is simple.”

Cyberattackers have been known to capitalize on back-to-school momentum, as seen last year with the TA407/Silent Librarian attacks. In that campaign, low volume, highly targeted, socially engineered campaigns targeted students at hundreds of universities in the U.S. The M.O. was email spoofing, where the attackers impersonated university libraries, and included links or HTML attachments directing victims cloned university login portals. These phishing sites then attempted to steal students’ login credentials and more.

“Against the backdrop of ‘back to school’ and the shift to hybrid learning environments (with some universities restricting access to campuses), it wouldn’t seem out of the ordinary for a university to request [personal] information,” said Rosenthal. “Students, therefore, may not realize they are being scammed – especially if the email domain looks legitimate.”

She added, “Configuring email authentication records like DMARC, and setting policies to the strictest settings, are necessary measures for preventing attackers from directly impersonating your company’s email domain,” Rosenthal said.

DMARC Adoption Remains Uneven

As for other industry areas, Valimail found that, in the good-news column, 30 percent of Fortune 500 domains using DMARC are using enforcement policies. However, this comes with some not-so-good news: This leaves 79 percent that can still be spoofed, because they either have no DMARC, are using DMARC in monitor/reporting-only mode, or have other DMARC configuration problems, according to the report. As for the very large enterprise segment, the data shows that 86 percent of global companies with $1 billion or more in revenues can be spoofed.

Also, 75 percent of U.S. federal domains are protected from spoofing by DMARC enforcement ( is not one of them – but the U.S. Department of Homeland Security mandates DMARC for federal agencies).

The report also found that 60 percent of utility domains now have DMARC records; however only 8 percent of all utilities have achieved DMARC enforcement.

Criminals Get DMARC-Aware

Email-borne threats remain the top attack vector for enterprise cybercrime. Phishing, impersonation attacks and business email compromise (BEC) business email compromise are all on the rise.

According to the third annual Email Security Challenges, Trends and Benchmarks survey report, released by Great Horn Tuesday, nearly half of respondents (48.7 percent) reported seeing impersonations of people such as colleagues, customers or vendors preying on the sense of urgency of an increasingly distracted and dispersed workforce. More than a third of respondents (35.1 percent) said that people impersonation attacks ranked as their top email threat in 2020.

“As the professional community continues to work in a remote environment, email impersonations present the perfect way for opportunistic fraudsters to take advantage of human vulnerabilities,” according to the firm. “Although there are infinite variations of impersonation attacks, each one relies on an end users’ misguided trust in surface appearance and quick reactions to emails.”

The U.S. Secret Service this week announced that it has broken up “hundreds” of COVID-19-related cyber-fraud scams since March, when coronavirus lockdowns went into place around the country. And in terms of specific wins, the Secret Service is now leading a “nationwide effort to investigate and counter a vast transnational unemployment fraud scheme targeting U.S. state unemployment programs.

As email threats continue and DMARC awareness grows at companies, cybercriminals are also getting savvy – and are pioneering ways to take advantage of those without adequate DMARC protection.

“Malicious actors are well aware of companies not having DMARC and exploit this daily,” Joseph Neumann, director of offensive security at Coalfire, told Threatpost. “If an organization doesn’t know how to deploy DMARC, then they most likely don’t know how to monitor their network, making them tempting targets for bad actors.”

For instance, a Russian BEC gang called Cosmic Lynx recently appeared on the scene, and has been associated with more than 200 BEC campaigns targeting senior-level executives in 46 countries since last July.

The threat group sets itself apart from other run-of-the-mill BEC scams in that it uses extremely well-written emails, targets victims without DMARC policies and leverages a fake “merger-and-acquisition” scenario that allows it to steal larger sums of money from victims.

Neumann also noted that while DMARC is a critical tool for email security, it’s only one aspect of what should be a multilayered approach.

“DMARC only really helps your organization for spoofed or unverifiable mail servers,” he told Threatpost. “With implementation of LetsEncrypt or by purchasing a certificate for a legitimate domain, there is no way to know if it’s bad or good from DMARC alone. DMARC can be used with a host of other tools and features like SPF [Sender-Policy Framework], DKIM [DomainKeys Identified Mail], reputation, spam filters, and the like, to actually stop malicious emails.”

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles