M3AAWG calls for email authentication as a response to Covid-19 phishing
Valimail, like many other organizations, has been observing a wave of phishing attacks since the start of the Coronavirus crisis in the United States. For the past several months, COVID-19 themed phishing attacks have been directed at corporate employees, executives, citizens, and consumers.
These attacks exploit the public’s fears and uncertainty, and they almost universally leverage fake sender identities, posing as individuals or organizations likely to engender trust in the recipient. That trust, combined with remote employees’ working conditions (more distracted, less protected by the usual in-office IT controls) means that people are even more vulnerable than usual.
A key component to stopping such phishing attacks is a robust way to authenticate sender identity — and that’s why we stand with M3AAWG in asserting the importance of the three core email authentication standards: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Receiving, and Conformance (DMARC).
We are proud to support M3AAWG’s call to action published today for domain owners to implement SPF, DKIM, and DMARC. In particular, we’d like to underscore one key recommendation from M3AAWG’s blog:
Publishing DMARC policies for organizational domains — even non-sending ones — at enforcement: using at least p=quarantine, although p=reject is preferable, across the entire domain and all subdomains without exception
This kind of policy, referred to as DMARC enforcement, is crucial to ensuring that DMARC is not merely a reporting tool, but an active defense against identity impersonation. And it’s important to note, as M3AAWG does, that enforcement is needed for all organizational domains, including subdomains, and should also include domains that don’t send email.
Vox Media recently published a lucid explainer that included a demonstration by Valimail of just how easy it is to spoof a sender that’s not protected by DMARC enforcement, in this case the World Health Organization. (Note: who.int has since moved to a DMARC p=reject policy.) The Vox video below, which now has over 600,000 views, also includes an accessible animated explanation of how DMARC works.
The more widely DMARC enforcement is adopted, the harder it will be for criminals to spoof domains with their coronavirus phishing scams. We stand with M3AAWG, Google, and Verizon Media in asserting the importance of email authentication at this crucial moment.