Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
Valimail blog

Even Cyber Security Leaders Struggle With Email Safety

Author: Alexander García-Tobar
Using sender identity to stop phishing

RSA is one of the largest cybersecurity providers in the world, and its annual conference in San Francisco, happening this week, draws tens of thousands of attendees. People come from all over the world to see the latest advances in cybersecurity from more than 500 exhibitors and hundreds of expert speakers.

RSA represents the cutting edge of security in many ways. And there’s no doubt that the companies who exhibit and sponsor the event are leaders in the security space.

That’s why it’s surprising to see that so few of these companies are actually using the latest and most powerful email authentication tool: the open DMARC standard.

We used Valimail’s domain checker to examine the email authentication status for RSA’s 62 sponsors, from the “Diamond” level all the way down to “Bronze.” What we found was that only one company — Microsoft — had implemented DMARC correctly and set it to enforcement mode.

Of the remaining domains, 4 had DMARC records with configuration errors, one was set to limited enforcement, and 15 were set to no enforcement (p=none).

That leaves 41 RSA sponsors who have no DMARC records at all.

The sponsor cohort is doing better when it comes to SPF, with 41 correctly-configured SPF records, 17 who have published records with errors, and only four who have no SPF record at all.

Why Does Email Authentication Matter?

Without authentication, it’s trivially easy for fraudsters to forge an email an make it appear like it’s coming from your bank, a tech company, or some other trusted entity: All they have to do is put the company’s email address in the From field of their email message.

Email authentication stops that kind of fraud, by giving mail servers tools to validate email messages they receive.

DMARC is the most powerful of those tools: It’s an open standard that helps email servers determine whether incoming email is coming from a server authorized by the domain shown in the From field.

It is supported by 85 percent of consumer email inboxes in the U.S., including those from Gmail, Microsoft Hotmail/Live.com mail, Yahoo, AOL, and other. There’s no more effective way to prevent same-domain phishing (emails from fraudsters impersonating a company by using its domain name in the From: or Reply-to: field of their faked emails). Since phishing is one of the leading ways that hackers gain entry into target networks, DMARC has enormous potential to increase overall cybersecurity.

Indeed, the industry is embracing email authentication. Research by Farsight shows that DMARC implementation on the sender side (by corporate domains) is increasing exponentially. But due to the complexity of the standard (and limitations in its associated standards, DKIM and SPF), there is a roughly 70 percent failure rate among all companies attempting to implement DMARC. Many publish DMARC records with errors, or publish a DMARC record but don’t ever turn on the enforcement benefits it provides.

Cybersecurity companies are not doing much better, as we have found. But don’t just take our word for it. A study by the Global Cyber Alliance released this week found that, of the 587 email domains used by companies exhibiting at RSA, only 15 percent had set up a DMARC record. What’s more, the GCA found, of the 90 domains that do have a DMARC record, only 65 had it set to monitoring-only mode (p=none), which means there is no enforcement whatsoever. Only 25 domains in all had specified that emails failing authentication should be sent to spam (p=quarantine) or deleted (p=reject).

We agree with the GCA (of which we’re a member) that “It is time for the cybersecurity industry to lead the charge and push for DMARC use across the globe.”

“As world leaders in cybersecurity, we can do better,” said Philip Reitinger, President and CEO of GCA. We agree.

Back to blog
Published February 23, 2017
  • Cybersecurity
  • DMARC
  • Email Authentication
  • security
Author: Alexander García-Tobar
A serial entrepreneur and global executive, Alexander has been CEO at two previous firms and has run global sales teams for three companies that went IPO. He held analyst and executive positions at leading research companies such as The Boston Consulting Group and Forrester Research along with Silicon Valley startups such as ValiCert, Sygate, and SyncTV.
Resources
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Preparing for BIMI: A Marketer’s Guide
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Valimail Research Finds More Than 1 Million Domains Using Crucial Email Aut...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

1550 Larimer Street
Suite 271
Denver, CO 80202

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Website terms of use
  • Do not sell my personal information
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers
Subscribe to our newsletter

Get exclusive content on improving email security and deliverability from the experts at Valimail.

  • *
    I understand that I may proactively manage my preferences, or opt-out of Valimail communications at any time using the unsubscribe link provided in Valimail email communication. I confirm that I am over the age of 16. The information that you provide will be used in accordance with the terms of our Privacy Policy.
  • This field is for validation purposes and should be left unchanged.