Apr 18, 2018

RSA exhibitors miss the mark on DMARC enforcement

Need-More-Than-Training

Email is the biggest social network on the planet. There are now 6.7 billion email accounts in use around the world. One half of the world’s population has at least one email address.

Yet for many of us, email remains untrustworthy. That’s because most domain owners have not implemented email authentication. Just 0.5 percent of the top 1 million domains are protected from email impersonation using the most advanced authentication technology, DMARC. The rest are easy for hackers to impersonate, just by putting their domain names into the “From” field of a phishing email.

Cybersecurity companies are not doing a whole lot better. Valimail analyzed the primary domains for 553 exhibiting companies at RSA 2018. What we found:

  • 28 companies are protected from email impersonation through correctly implemented and enforced DMARC policies.
  • 103 companies have valid DMARC records but have not set them to enforcement policies. These domains can still be impersonated by fraudsters and phishers.
  • 22 companies have DMARC records that are invalid because they contain errors.
  • 400 companies haven’t bothered with DMARC at all.

To put this another way: 95 percent of RSA exhibitors are leaving the door open to fraud and fake email. That’s a shocking figure, especially since 91 percent of all hacks involve phishing, and most phishing attacks involve impersonation.

It’s an understandable situation. DMARC is difficult for most companies to manage on their own, since it requires familiarity with not only the DMARC standard but also with SPF, DKIM, and with common email practices — and it demands that companies be able to accurately identify all the cloud services that they use for sending email, and ensure that those are all properly whitelisted. It’s difficult enough that, of all the companies who attempt DMARC on their own, just 20-25 percent succeed in getting to enforcement.

The solution is to stop dealing with DMARC as a manual, hands-on process demanding lots of consultants and constant monitoring, and to switch to a truly automated DMARC solution.

And just imagine how much more secure we would be if cybersecurity companies closed this major vulnerability today.

Subscribe to our newsletter