Email: The front line of cybercrime (research part 1)
The battle against phishing rages on. Estimates from the FBI peg losses due to just one type of email-based attack, the business email compromise (BEC), at $1.7 billion in 2019 alone. Other sources have noted that 83% of email attacks are brand impersonations and another 6% are impersonations of people, meaning nearly 90% of all email attacks rely on deceptive sender identity (ie spoofing). And meanwhile, email remains the single largest vector for initiating cyberattacks of all kinds, as many studies have shown over the years and IBM Security recently confirmed.
In this battle, DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a front-line defense — and it’s working. DMARC gives domain owners visibility into what services (and which bad actors) are sending email “from” their domains. When configured properly (with an enforcement policy), it prevents email spoofing. Once at enforcement, a domain can only be used by authorized senders. Email attackers are then forced to rely on other, easier-to-detect impersonation techniques — or they move on to other targets. In fact, Valimail has observed that the number of attempts to spoof a domain typically drops to zero or near zero within a few months after that domain moves to DMARC enforcement.
Evidence from Valimail shows that the use of DMARC is growing. And, despite relatively low rates of configuring it with enforcement policies (which actually stop spoofing), it is having a noticeable, positive effect on reducing exact-domain spoofing globally.
The growth of DMARC on two fronts
Given its benefits, it’s no surprise that the growth of the DMARC standard has been impressive.
One the receiving side, major email receivers have been supporting the standard for years now. Valimail data has shown for several years that about 80% of the world’s inboxes (including virtually all U.S.-based email providers) do DMARC checks on inbound email messages, enforcing the domain owner’s stated policies. Our data from analysis of DMARC reports shows that proportion remained consistent in the second half of 2019.
On the sending side, more and more domain owners are waking up to DMARC’s potential. As of the start of 2020, nearly one million domains — 933,973 to be exact — have published DMARC records.
That’s an increase of 70% over one year prior, and a more than 180% increase over two years ago.
Note: Valimail’s analysis counts organizational domains only. Unlike some other reports on DMARC’s market penetration, we are not including subdomains in these totals.
DMARC enforcement rates
Merely publishing a DMARC record is not sufficient to protect a domain against spoofing, however. Domain owners must also configure an enforcement policy (one that directs mail receivers to quarantine or reject non-authenticated email, with no exceptions for subdomains). If they don’t do so, then mail receivers will not take any particular actions on email that appears to come from the domain but which fails authentication.
The syntax of DMARC is simple, and in principle it’s easy to set an enforcement policy simply by adding “p=quarantine” or “p=reject” in the proper place in the domain’s DMARC record. However, domain owners who do this without first carefully auditing their email environments run into trouble. If you don’t properly authorize all the services that you want to send email on your behalf (e.g. a corporate payroll system, or mailing list manager) then the enforcement setting will tell mail servers to reject messages from those senders. Such authorization is done through SPF and/or DKIM, two other email standards that let domain owners specify which senders are allowed to send “as” them.
As a result, the best practice is to start in monitor mode (a policy of “none,” indicated by “p=none” in the DMARC record), which allows you to collect detailed, daily reports from mail servers about exactly which senders are authenticating and which ones are not.
Unfortunately, that’s as far as most domain owners get. Valimail’s analysis shows that of the 933,973 organizational domains with DMARC, just 13% are at enforcement.
Worse, that percentage has generally declined over time, although it has remained level in the past twelve months. The inescapable conclusion: Interest in DMARC is growing, but DMARC expertise is not keeping pace.
This post is part 1 in a 3-part series highlighting Valimail’s latest research. Here’s part 2, Which industries are doing best at email security?, and part 3, Domain spoofing declines as protective measures grow.
Download the full report for free: Winter 2020 Email Fraud Landscape: Domain spoofing declines as protective measures grow.