Unfortunately, not in a cute way. Photo credit: Ally/Flickr.
Krebs on Security today published an article describing how the Donald Trump campaign, the DNC, and the RNC all have failed to use email authentication to maximize their email security. Valimail CEO Alexander Garcia-Tobar is quoted in the article stating of DMARC, “…it’s extremely tricky to get right. Most organizations are [a] lot more concerned about blocking good stuff going out, until they get phished.”
Both these points are very important, and we run into them quite frequently.
We interact with a lot of companies trying to get to DMARC enforcement, and they regularly discover that the level of challenge is beyond what they originally anticipated. This fact is backed up by the Online Trust Alliance’s July 2016 honor roll, which indicates that in all measured categories between 60% and 86% of sites attempting DMARC authentication do not get all the way to enforcement.
There are many reasons why DMARC is so hard to get right, including its specific and inflexible syntax, SPF’s 10-lookup limit, and the challenges in maintaining secure DKIM keys.
We also have observed a tendency among organizations to underestimate the importance of blocking spear phishing emails until they have a problem. At that point we often see a great increase in urgency and commitment inside the organization.
That is a dangerous approach to take. It’s kind of like waiting until you have a fire before buying homeowner’s insurance. Sure, it’s better to have insurance late than never, but the best approach is for the insurance to be in place before a problem comes up in the first place.
So what is the reason for this attitude? It’s back to Alexander’s first point. DMARC is harder than people think. Because they struggle with creating a record that can reliably block spoofed email while still permitting the good email to go through, they never pull the trigger on enforcement. Oftentimes they don’t even know how to evaluate if an implementation is good or not. Reports are notoriously hard to read and make sense of, and it’s easy for a small number of critically important emails that are failing authentication to get lost in the haystack of marketing mailings, phishing, and other high-volume activity.
However, it is possible to get to enforcement without sacrificing deliverability. Before there is a problem.
These major political parties and campaigns now have had a problem, which is that they were called out on a prominent IT security site. Maybe next time the problem will be a major security breach.
Or maybe they’ll implement enforced email authentication before it comes to that. That’s what we’re encouraging them to do.