Media companies face a uniquely difficult landscape. Over the past decade, they’ve had to adapt to rapidly changing media technologies, while battling declining advertising revenues and shrinking subscription lists. For some companies, it’s hard enough to keep the lights on, let alone secure their IT systems.
So it’s not surprising most media organizations have overlooked a key aspect of their cybersecurity infrastructure: Email authentication.
That’s a particular problem in the era of “fake news” claims, because it leaves media companies open to fraud. In short: It’s far too easy for outsiders to send fake email that appears to come from these companies.
ValiMail analyzed the primary domains for 610 media companies with revenues of at least $50 million annually. Using data that is publicly available through the Domain Name System (DNS), we checked for the existence of DMARC (Domain-based Message Authentication, Reporting, & Conformance) and SPF (Sender Policy Framework) records. We then analyzed these records for completeness, correctness, and effectiveness.
The conclusion: Media companies lag substantially behind other industries in their implementation of DMARC. Only 78 out of 610 companies had published a DMARC record at all. Of those, just 17 had set it to a policy of enforcement, which directs receiving mails servers to delete or quarantine messages that fail authentication.
This is a success rate at getting to enforcement (as a percentage of all companies attempting DMARC) of 21.8 percent. But the overall rate of DMARC enforcement in the industry is just 2.8 percent.
In other words, 97.2 percent of media companies worldwide remain vulnerable to impersonation or “spoofing” by email fraudsters using their domain names illicitly.
For more detail, check out our full report: After Fake News, Here Comes Fake Email. It has a wealth of detail on how media companies worldwide are doing with respect to email authentication, which types of companies are doing better, and which countries are showing leadership.