Adoption of the email security standard known as DMARC — the best way to stop fraudulent email like phishing messages — remains low, even among large banks and other major corporations, according to new figures. And that’s because many companies don’t know about it, and it can be very complex to implement in big enterprises.
DMARC, or Domain-based Message Authentication, Reporting and Conformance, is the industry standard measure to prevent email spoofing — when hackers make their messages appear as if they come from trusted correspondents. The aim of these so-called phishing messages is to entice the recipient to click malicious links or download infected attachments. Phishing is the number one method used by hackers to gain a foothold on a company network, experts say, and a major cybercrime vector — and DMARC, when used correctly, stops it dead.
“Just under a third of banks with an annual revenue of a billion dollars or more have DMARC implemented,” Alexander García-Tobar, CEO and co-founder of email security provider ValiMail, told CyberScoop. The company released new figures Monday for DMARC adoption — which can be discerned from public records — by the top million web domains, which they then broke down by size and sector.
Despite that low number, banks had the third adoption highest rate for any sector, behind only cybersecurity companies (50 percent implementation) and large tech companies (46.5 percent).
“It’s [partly] an awareness issue,” said García-Tobar, “The number one biggest impediment [to implementation] is that people don’t know about it … It’s technical and for many people, email is boring,” he said.
Even if companies implement the measure, he added, it still has to be switched on. Before that’s done, the protocol just informs the domain-owner if someone is sending email impersonating their domain. Once it’s switched on, delivery of spoofed or unauthorized messages is blocked altogether.
The ValiMail survey found that only fewer than 23 percent of DMARC users had it switched on and correctly configured.
“When we talk to these companies [that haven’t switched it on], they break down roughly into two groups,” said García-Tobar. “One third are not aware that they’re not in enforcement. The rest have given up …. It’s just too hard.”
This difficulty is especially pronounced in large enterprises, where there might be dozens of services sending email on the company’s behalf — all of which have to be authorized before DMARC is activated, or else they’ll be blocked.
“It’s very hard to get visibility on all the third parties sending from your domain,” said García-Tobar. “Some of these standards were designed before the cloud era, and they don’t work too well with cloud services,” he added.
Adding to the complexity, the messages informing the domain-owner about spoofed mail are “an unformatted XML blob” — which can be difficult to read — and can run to hundreds or even thousands of lines. Worse, the daily reports only list the originating numeric IP address of the email, which must then be translated into a alphabetical URL to find out the sender.
“If you mess up [activation], you mess up the company email flow, which is something people get fired for,”García-Tobar concluded.
But he added that, when corporate leadership made DMARC a priority — for example in the wake of a successful phishing attack against a senior executive, or in the federal government when it was required by policy — “They can make it happen.”