Corporations Understand DMARC Is Critical. So Why Can’t They Get to Enforcement?
Photo credit: Chris Lim/Flickr
The Online Trust Alliance (OTA) recently published the 2016 results of its annual Online Trust Audit, an analysis of corporations’ attitudes towards security and their adoption of various security technologies.
The OTA audit shows that most corporations, banks, and government agencies have a long way to go before they fully implement the most advanced email authentication, DMARC.
However, many organizations clearly understand the importance of authentication preventing phishing and other forms of email fraud, as shown by sharp increases in the percentage of enterprises using DMARC as well as the older authentication standards, SPF and DKIM. It’s just that very few companies have succeeded in getting DMARC to the point where it’s actually doing anything to stop fraud.
Background on the OTA Audit
This year’s audit included nearly 1,000 websites across a variety of major categories, including top retailers, top banks, consumer services, news media, and 50 of the most significant U.S. federal government sites.
Overall, corporate and government site security is improving: 50 percent of the sites analyzed by the OTA qualified for “Honor Roll” status, an increase of 6 percentage points from the previous year.
There are notable improvements in email authentication as well.
Among the top 500 Internet retailers, for instance, only 56 percent were using both SPF and DKIM in 2013; that proportion has risen to 85 percent in 2016. Rates are similarly high and rising among banks, consumer sites, and news sites. The only real laggards are the top 50 federal sites, of which only 20 percent were using SPF and DKIM together in 2013, rising to just 58 percent this year.
The percentage of organizations using both SPF and DKIM is rising across all categories. Source: OTA, “2016 Online Trust Audit & Honor Roll”
What’s more, many of these organizations are adopting DMARC, the newer standard that uses and builds on both SPF and DKIM to offer even more ironclad email authentication. In 2013, just 3 percent of the top 500 Internet retailers had a DMARC record; that was up to 21 percent by 2016, with most of the growth in the past year. Among the top 100 retailers, the rate grew more impressively, from 5 percent to 30 percent. Meanwhile, among the top 100 consumer sites, 22 percent used DMARC in 2013 but fully 64 percent are using it now.
As the OTA notes:
Given the gap between SPF/DKIM adoption (above 90% in many sectors) and DMARC adoption (below 30% in most sectors), there is still significant room for growth in DMARC adoption. The “R or Q” column shows the percentage of organizations with a DMARC record that publish a reject or quarantine policy, illustrating significant room for growth in nearly all sectors.
So what’s the problem?
The real issue is that many of these companies haven’t turned on DMARC enforcement. OTA measured that by checking to see how many companies had set their DMARC policies to p=reject or p=quarantine, settings which delete or quarantine (respectively) non-authenticating email messages. In almost every category, fewer than 25 percent of the companies that had DMARC policies were actually enforcing them. In some cases it was as low as 13 or 14 percent.
What’s keeping these companies from enforcing the DMARC records they’ve set up?
DMARC — and email authentication generally — is a complex area and an unfamiliar one for many corporate IT departments. Getting SPF and DKIM records set up correctly, with all their associated DNS entries, while avoiding the many gotchas and limitations involved in these standards, is difficult enough.
Adding DMARC on top of those two definitely improves authentication, because, among other improvements, it requires alignment between the user-visible “From” field and the domains checked by SPF and DKIM.
But DMARC presents its own minefield of difficulties that many companies are not quite prepared to deal with. As a result, it seems clear that many are taking a cautious approach, setting up DMARC and then leaving the policy set to p=none while they monitor it and make sure nothing is breaking.
The downside of that approach is that it literally does nothing to stop phishing attacks. The sooner companies get the knowhow and confidence to start enforcing their DMARC policies, the better.
Valimail helps companies cut through these difficulties, with a patent-pending Email Authentication as a Service™ product that can get DMARC configured and automated, and get you to p=reject in record time. Contact us for more information.