OTA Trust Audit Shows How Crucial Email Is to Cybersecurity Excellence

Blue padlock on a computer keyboard representing increased securityAs a cybersecurity company focused on defending enterprises from BEC, phishing, and other fraudulent email practices, Valimail takes its own security practices seriously. So it’s nice when someone else recognizes those efforts, as the Internet Society’s Online Trust Alliance did recently in naming Valimail to its 2018 Online Trust Audit and Honor Roll. The OTA has given us this designation for three years in a row now — every year since Valimail’s founding.

But even more than accolades for ourselves, we’re especially pleased about the OTA’s focus on driving support for crucial standards that will increase security for everyone.

Specifically, the OTA included the SPF, DKIM, and DMARC standards as critical components of the Trust Audit this year, as it did last year. Companies that implemented those standards scored more points than those that didn’t.

In setting these criteria (and increasing their weights in its scoring this year), the OTA has made it abundantly clear how important these standards are for protecting organizations from brand spoofing and impersonation-based phishing attacks.

SPF and DMARC Details Matter

Crucially, the OTA paid close attention to the details: Correct implementation matters in the OTA’s scoring, as it does in the real world.

Infographic showing record levels of email authentication: 76% use both SPF and DKIM, 50% have a DMARC record, and 73% use opportunistic TLS

(The image above is a detail from an infographic showing highlights of the OTA’s 2018 Trust Audit.)

For example, the OTA awarded points for implementing SPF on a company’s highest-level domain (its organizational domain), but detracted points if the SPF record exceeded the SPF 10-lookup limit, used SPF “includes” incorrectly, or was invalid due to incorrect syntax. These deductions for exceeding the lookup limit or improperly using includes were new this year, and we applaud OTA for underscoring these critical mistakes in the audit.

Similarly, OTA awarded points for simply having a DMARC record, but stipulated that it must include an RUA/RUF reporting address if it was set to a monitor-only policy (p=none). Companies would score even more points for having a DMARC policy of reject or quarantine (aka DMARC enforcement).  This year, DMARC was weighted more heavily than in prior years, with a policy of p=reject receiving the most points. While we would have weighted p=quarantine the same as p=reject (since both are enforcement policies that keep spoofed email out of end users’ inboxes), we’re excited to see enforcement taken seriously and given ever-increasing importance in the OTA’s audit.

A Year of Improvements

It’s clear that sectors which are focusing on these standards do better than the average. For instance, the U.S. federal government is now the leading category, with 91 percent of the surveyed sites landing on the honor roll.

Infographic showing OTA Honor Roll stats - 70% of companies designated to the honor roll overall, 91% of US Federal Government, 85% consumer services, 78% news and media, 73% banks, etc

It might surprise some people to see that the feds blew away commercial categories including Internet retailers (65 percent) and healthcare (57 percent) with its dedication to cybersecurity. The federal government is also the “most improved” category, since just 39 percent of federal sites won the designation in 2017.

Those who read Valimail’s Q4 2018 Email Fraud Landscape might be a little less surprised, since we also found (in our survey of SPF and DMARC usage) that the federal government was far ahead of other categories. Valimail found that 80 percent of federal domains have published a DMARC record, and 87 percent of those with a DMARC record set it to an enforcement policy.

These stellar outcomes for the federal government are the direct result of BOD 18-01, which mandated that federal agencies use DMARC at enforcement with p=reject, along with STARTTLS for mail transport and HTTPS-only (with HSTS) web connections.

BOD 18-01 only applied to civilian federal agencies, so private sector companies are under no obligation to follow its directives.

But organizations like OTA can help drive awareness of the importance of these security standards, and the Online Trust Audit & Honor Roll helps shine a light on how the industry as a whole is progressing.

In short, we applaud the OTA for constantly raising the bar and driving industry adoption of crucial standards.

Check out the OTA’s highlights video for more on this year’s Trust Audit:

Seth is the director of industry initiatives for Valimail.