As I wrote in my last blog post, email is a legacy technology with a lot of accumulated “technical debt” and standards limitations, and there aren’t many true email experts who understand the full set of standards backwards and forwards. As a result, staying on top of the real-world workings of email can be a challenge.
But there are technical solutions to the ever-present problem of email impersonation. Standards-based email authentication, when implemented through an automated email authentication system that guarantees enforcement, can stop a huge proportion of spoofed emails, BEC, and phishing.
With years of experience implementing email authentication, Valimail has come into contact with some surprising misconceptions about how email authentication actually works. Here are five more myths about email authentication -- plus one more bonus myth.
For myths 1-5, see my previous post on the top 5 myths of email authentication.
Myth #6: DMARC adoption rates are still negligible among domain owners
Fact: DMARC’s use by domain owners has been growing exponentially — especially if you look at larger companies. DMARC is one of the most significant changes to the basic set of email standards in decades. In fact, growth in the number of domains configuring a DMARC record tripled in 2017, and is on track to further double by end of 2018. Valimail’s latest quarterly email fraud landscape shows that DMARC usage rates have surged to 30-40 percent of all domains among big companies in health care, banking/insurance, technology, and many other sectors. More than 54 percent of the Fortune 500 now have DMARC records.
If you’re still playing “wait and see” with DMARC, you’re already heading into late adopter territory, not to mention, exposing your organization to unnecessary risks.
Myth #7: Email authentication is not a high a priority
Fact: More than 90 percent of all cyber-attacks start from fraudulent emails. As much as 62 percent of business email compromise (BEC) attacks are based on domain impersonations, according to Proofpoint. And Proofpoint's latest threat landscape notes that 60 percent of organizations have seen their domains spoofed. Given those statistics, email authentication had better be a priority. The U.S. government declared it a priority to deploy email authentication in October 2017 with the Binding Operational Directive (BOD) 18-01, and one year later, 70% of U.S. federal domains have DMARC records. The FTC and SEC has indicated that companies not deploying email authentication can be found liable for not following basic accepted minimum best practices. And companies without email authentication may find that their insurance companies are unwilling to cover losses that involve email impersonation (see Medidata Solutions Inc. v. Federal Insurance Co. and American Tooling Center Inc. v. Travelers Co.).
More importantly, businesses are understanding that email authentication is now one of the most basic steps for protecting their reputation, finances, and IP..
Myth #8: Authentication is not effective at stopping phish
Fact: We know that the majority of phish landing in corporate inboxes are impersonation. Many of those are exact-domain impersonation — fraudulently using someone’s else’s domain. Email authentication stops these cold.
Combined with a secure email gateway (SEG), authentication becomes an essential part of a complete anti-phishing solution. Authentication stops impersonation, while the SEG blocks malicious attachments, malware injections, dangerous links, and so on.
Myth #9: You only need to authenticate domains you use for email
Fact: This would be a big misconception. You really need to protect every domain your company owns — otherwise impersonators could use those domains to send email as anyone from your company. For example, take the typical media company. Each show has a mini-site. These sites don’t necessarily send email — but a consumer wouldn’t know that. If you’re unsure how many domains your company owns, or how they are being used, check with your marketing department. To be safe, you should protect all of your domains. And you need to ensure that subdomains are protected too.
Myth #10: Authentication only protects “outbound” mail
Fact: Think of the headlines you read frequently: “Company X accidentally wired money to a fictitious account," or "Company Y sent their employees’ W2s to criminals by accident." Criminals routinely send emails impersonating the CEO, CFO, or other executives, trying to trick employees into carrying out their wishes -- and it’s child’s play to do so if you don’t have email authentication in place. One of the greatest threats enterprises face is Business Email Compromise (BEC), where a fraudster impersonates a high ranking executive or other employee in order to trick co-workers into sending money, sharing confidential information, or giving up their account credentials. In addition to protecting customers, partners, prospects, and friends, email authentication, when done right, also protects employees against inbound phishing attacks.
BONUS MYTH: You can solve email spoofing by hiring a consultant or any DMARC vendor
Full disclosure: Valimail is a vendor in this space and competes with other DMARC vendors. We do our best to be impartial and factual but wanted to highlight this dynamic before answering this myth.
Fact: Not all DMARC vendors are created equal, each has a different technology and approach, and not all consultants have a deep understanding of authentication. Fortunately, the foundation for anti-impersonation is based on DNS, so it’s straightforward to establish which vendors are more successful at getting their clients to enforcement and how long it takes. The data is very clear: DIY leads to 20 percent success rates in 12 months with 2-3 FTEs. Most vendor-based solutions aren’t much better, with 40 percent enforcement rate in 9 months with 1-2 FTEs . Valimail has a 90 percent success rate in 4 months with 0.2 FTE, and we guarantee enforcement -- the only vendor to do so.
Why is this the case? Let’s look at the process of getting to enforcement: You’ll need a DMARC expert, infrastructure visibility, and automation technology, to discover, configure, and continually maintain the conditions for continuous authentication. Consultants only make recommendations and suggestions for how you can achieve enforcement, and their recommendations often require you to make constant, manual changes to your DNS. And if you do achieve enforcement, you’re on your own for maintaining it. Which of course, puts you right smack in the middle of all that tedious, manual work mentioned in Email Authentication Myth #2: identifying errant IP addresses and reconciling domains based on email error reports.
If you want to achieve and remain at DMARC enforcement and start protecting your domains from the threat of email impersonation, you need a vendor that offers full automation. Ask any vendor you’re considering how often you’ll need to make DNS updates during the deployment process, how long they expect deployment will take, and whether they’ll guarantee success (i.e. getting to DMARC enforcement).
Email authentication is definitely worth doing — therefore it’s worth doing right. Now is the time to move beyond the myths to protect your executives, employees, customers, partners, and your reputation in reality. So go get started: Configure that DMARC record, start collecting data, and move your organization toward a DMARC enforcement policy. And remember, if you need some backup, we’re here to handle all the tedious stuff and let you take the glory!