Banks Adopt Email Authentication, But There’s More to Do
The march toward universal email authentication continues.
The five largest banks in the U.S. have adopted the DMARC email authentication standard, but there’s still much more to be done, according to a news release from the Global Cyber Alliance, a cybersecurity nonprofit founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police, and the Center for Internet Security.
According to the GCA, only 11 of the top 50 U.S. banks and 9 of the top 50 European banks have deployed DMARC and set it to block fraudulent emails or mark them as spam.
The GCA notes that another 32 of these top banks have set up DMARC, but are not seeing any benefit from it because they have not set their authentication policies to reject or quarantine emails that don’t pass muster (p=reject or p=quarantine, in DMARC’s terms).
In other words, 51 percent of the top U.S. and European banks have published DMARC policies — but of those who have policies, only 37 percent are actually seeing the antispam and antiphishing benefits DMARC provides.
Out of the 50 fastest-growing independent banks in the U.S. none — zero — are using DMARC.
GCA notes that DMARC is now supported by more than 85 percent of consumer email accounts.
“DMARC is proven, and it is free,” said Philip Reitinger, the president and CEO of the GCA, adding that it delivers a “significant” return on investment. “If a customer can’t trust your email correspondence, they will be looking elsewhere rather quickly.”
As the GCA notes, DMARC is an open standard, and configuring it is theoretically as simple as publishing a DNS TXT record (for organizations that have already implemented two supporting standards known as DKIM and SPF). However, the relatively high rate of banks who are using DMARC but not seeing any benefit from it — 67 percent — suggests that implementation is a bit trickier than many people expect.
Indeed, that failure rate corresponds almost exactly with what Valimail found in our recent survey of DMARC usage among a large sampling of corporations and government organizations. What we discovered is that about 70 percent of organizations fail to get DMARC to a reject or quarantine setting — and that ratio is roughly the same for the largest enterprises as it is for small and medium-size businesses.
The complexities of the various authentication standards combined with the need to maintain email at a high level of availability makes many organizations nervous about moving from a testing phase to enforcement.
Valimail applauds the use of DMARC by these top European and American banks. We’re proud to be part of the momentum towards authenticating the world’s email. If you want to see if your company is protecting itself and customers against phishing by authenticating email you can use our free, instant domain checker. We’re committed to seeing global adoption and enforcement of DMARC, and we’re here to help.