FTC: Companies Are Embracing Email Authentication — Partially
The Federal Trade Commission announced today that U.S. companies seem to understand the value of email authentication — but they aren’t yet implementing it fully.
Echoing results that Valimail has found in our own research, the FTC study (.pdf) found that 86 percent of major online businesses are using email authentication with Sender Policy Framework (SPF) — but fewer than 10 percent have taken the step of fully implementing the more advanced standard, Domain-based Message Authentication, Reporting, and Conformance (DMARC).
The FTC’s study looked at 596 of the largest companies online as shown by the Alexa service. It found 489 had published SPF records in the Domain Name System (DNS).
Of those 489 using SPF, 66 percent (320 domains) had no DMARC record at all. Of the 168 domains that did have DMARC records, the majority had set it to a non-enforcement policy (p=none), and just 53 had set their policy to quarantine (p=quarantine) or reject (p=reject) messages that fail authentication.
That’s a problem, as the FTC notes, because without setting DMARC to a quarantine or reject policy, it has no effect on blocking fraudulent emails.
The takeaway? DMARC is accelerating in adoption. Following on the heels of the top email service providers (including Gmail, AOL, Microsoft, and Yahoo) all embracing authentication, more and more companies are seeing the need to authenticate their own email. The fact that the FTC is issuing this study underscores the trend.
Also, DMARC is incredibly effective, as the FTC notes. It eliminates virtually all same-domain phishing attacks, which contributes to a significant increase in security across the board, since phishing is how most cyber attacks begin. DMARC also provides substantial reporting and monitoring features to companies that use it.
However, DMARC is hard to get right. Our studies show that roughly 70 percent of companies that attempt DMARC never get to p=reject or p=quarantine. Most get hung up at p=none or have implementation errors that prevent DMARC from working properly.
As ISPs double down on authentication, unauthenticated emails will see a drastic decline in deliverability. That will only increase the urgency of getting it right.
What’s happening now is a major phase change: Email authentication used to be the exception, but now it’s rapidly becoming the norm. In the same way that open Wi-Fi networks are getting hard to find (and no business would ever use an open network any more), unauthenticated email will get rarer and rarer.
The FTC’s report shows that companies have a ways to go. But the direction of this movement is clear: Towards DMARC.