Only a third of Fortune 500 companies deploy DMARC, a widely-backed best-practice security measure to defeat spoofing — forged emails sent by hackers — and fewer than one-in-10 switch it on, according to a new survey.
The survey, carried out by email security company Agari via an exhaustive search of public Internet records, measured the use of Domain-based Message Authentication, Reporting and Conformance, or DMARC.
“It is unconscionable that only eight percent of the Fortune 500, and even fewer [U.S.] government organizations, are protecting the public against email domain spoofing,” said Patrick Peterson, founder and executive chairman, Agari. A similar survey of federal government agencies earlier this month, by the Global Cyber Alliance, found fewer than five percent of federal domains were protected by switched-on DMARC.
The Agari survey found adoption rates similarly low among companies in the United Kingdom’s FTSE and Australia’s ASX 100.
DMARC is the industry standard measure to prevent hackers from spoofing emails — making their messages appear as if they’re sent by someone else. Spoofing is the basis of phishing, a major form of both cybercrime and cyber-espionage, in which an email appearing to a come from a trusted company like a bank or government agency contains malicious links, directing readers to a fake site which will steal their login and password when they sign on.
Of the Fortune 500, Agari found only 33 percent had a DMARC policy, and only 8 percent had switched it on. But there were four industry sectors in which a majority of companies had adopted a DMARC policy: business services (60 percent), financial services (57 percent), technology (55 percent) and transportation (53 percent).
“These are seemingly the sectors most likely to be targeted by phishing attacks,” notes the Agari report. Business services includes companies like payment processors and credit card issuers, which are frequently spoofed in phishing campaigns. And the same is true for financial services. Transportation, the report notes, includes both shipping companies and airlines, which are again frequently spoofed to deliver malicious attachments disguised as package tracking numbers or travel reservations.
However, the authors note that even in these sectors only very small numbers of companies have DMARC turned on.
Companies can create a DMARC record in a matter of minutes, but once the policy is deployed, it has to be switched on. All the largest internet email providers like Google, Microsoft and Yahoo have it turned on for their users. If both sender and receiver have the policy switched on, email attempting to spoof the sender’s address will be delivered to recipient’s spam folder, or — if DMARC is switched to its highest setting — will not be delivered at all.
But most companies have a number of systems that send email — including third party services like email marketing firms. And that can complicate the process of compiling a comprehensive DMARC record. If additional domains like marketing contractors sending authorized email on behalf of the company aren’t properly included in the DMARC policy, they could be quarantined as spam or even rejected altogether when DMARC is switched on.
DMARC emerged in 2007 from a pilot program between PayPal and Yahoo! to eliminate spoofed emails. It is essentially an enforcement mechanism for two previously existing email authentication efforts, Sender Policy Framework, or SPF, and DomainKeys Identified Message, or DKIM. Those are basically ways to authenticate senders and DMARC is the policy which tells recipients what to do with messages that fail authentication. DMARC is in the process of being adopted as a standard by the Internet Engineering Task Force.