Corporations Understand DMARC Is Critical. So Why Can’t They Get to Enforcement?
The Online Trust Alliance (OTA) recently published the 2016 results of its annual Online Trust Audit, an analysis of corporations’ attitudes towards security and their adoption of various security technologies.
The OTA audit shows that most corporations, banks, and government agencies have a long way to go before they fully implement the most advanced email authentication, DMARC.
However, many organizations clearly understand the importance of authentication preventing phishing and other forms of email fraud, as shown by sharp increases in the percentage of enterprises using DMARC as well as the older authentication standards, SPF and DKIM. It’s just that very few companies have succeeded in getting DMARC to the point where it’s actually doing anything to stop fraud.
Background on the OTA Audit
This year’s audit included nearly 1,000 websites across a variety of major categories, including top retailers, top banks, consumer services, news media, and 50 of the most significant U.S. federal government sites.
Overall, corporate and government site security is improving: 50 percent of the sites analyzed by the OTA qualified for “Honor Roll” status, an increase of 6 percentage points from the previous year.
There are notable improvements in email authentication as well.
Among the top 500 Internet retailers, for instance, only 56 percent were using both SPF and DKIM in 2013; that proportion has risen to 85 percent in 2016. Rates are similarly high and rising among banks, consumer sites, and news sites. The only real laggards are the top 50 federal sites, of which only 20 percent were using SPF and DKIM together in 2013, rising to just 58 percent this year.
What’s more, many of these organizations are adopting DMARC, the newer standard that uses and builds on both SPF and DKIM to offer even more ironclad email authentication. In 2013, just 3 percent of the top 500 Internet retailers had a DMARC record; that was up to 21 percent by 2016, with most of the growth in the past year. Among the top 100 retailers, the rate grew more impressively, from 5 percent to 30 percent. Meanwhile, among the top 100 consumer sites, 22 percent used DMARC in 2013 but fully 64 percent are using it now.
As the OTA notes:
Given the gap between SPF/DKIM adoption (above 90% in many sectors) and DMARC adoption (below 30% in most sectors), there is still significant room for growth in DMARC adoption. The “R or Q” column shows the percentage of organizations with a DMARC record that publish a reject or quarantine policy, illustrating significant room for growth in nearly all sectors.
So what’s the problem?
The real issue is that many of these companies haven’t turned on DMARC enforcement. OTA measured that by checking to see how many companies had set their DMARC policies to p=reject or p=quarantine, settings which delete or quarantine (respectively) non-authenticating email messages. In almost every category, fewer than 25 percent of the companies that had DMARC policies were actually enforcing them. In some cases it was as low as 13 or 14 percent.