Momentum Builds for DMARC in the U.S. and U.K
The movement to implement email authentication is gathering steam, and international cyber security experts are increasingly pointing to DMARC as a crucial key.
Now, government agencies in the U.S. and the U.K. are adding their voices to the chorus.
Here’s a sampling of recent recommendations:
- “If everyone used [DMARC], actually the spam problem would not only be significantly reduced, it’d probably almost go away,” said Paul Edmunds, Head of Technology at the U.K.’s National Crime Agency (NCA) National CyberCrime Unit, at the London Cloud Security Expo earlier this month. And he wasn’t just referring to spam–he was also talking about DMARC’s ability to stop same-domain phishing attacks and thereby cut down on emailed malware and business email compromise attacks.
- “You can stop those spoofed email attacks with DMARC,” Phil Reitinger, president and CEO of the Global Cyber Alliance, told Dark Reading this week. The GCA is an international organization founded by the New York County District Attorney and the City of London Police, among others.
- The U.K.’s new National Cyber Security Centre (NCSC) issued a mandate in October that government agencies implement DMARC, and it will soon start publishing a dashboard showing how well they are complying–or aren’t. “In six months the dashboard goes public as an incentive for government departments to take action or face being named and shamed,” said Ian Levy, technical director of the NCSC, in October. (Note: Levy was on a panel of email experts that ValiMail CEO Alexander García-Tobar moderated in Paris in October. Other participants included leading European ISPs, who also declared their support for DMARC then.)
- Later that month, Levy told people at a Sydney security conference, “If anybody in this room, as a cybersecurity professional, has an email domain and doesn’t have DMARC, you should be ashamed of yourselves,” Levy said.
- And in early March, the U.S. government’s Federal Trade Commission added its own recommendation for DMARC as a way of preventing email scams. “By using DMARC to instruct receiving ISPs to reject unauthenticated messages, online businesses could further combat phishing by keeping these scam emails from showing up in consumers’ inboxes.”
- These agencies and organizations are recognizing what major email senders have been advocating for several years now: DMARC works to cut down on phishing and spam, and it provides unprecedented visibility and accountability to email. That’s why virtually every major email service provider, including Gmail, AOL Mail, Microsoft Hotmail and Live.com mail, Yahoo Mail, and more — representing more than 2.7 billion mailboxes in all —support email authentication and will check the DMARC records for incoming email. DMARC is also supported by email gateways from many companies including Proofpoint, Cisco, and Symantec, as well as Microsoft’s Exchange server.
And while DMARC is still optional, the time is coming when publishing and enforcing a DMARC policy will be essential to ensuring deliverability of your mail. Already, providers like Gmail are putting a question mark next to incoming messages that don’t have authentication. Some also factor in the presence or absence of email authentication when deciding whether to flag messages as spam. We expect this trend to continue, with more providers taking a stronger and stronger stand in favor of DMARC, improving deliverability for senders who use it and downgrading deliverability even further for those who don’t.
Unfortunately, as the FTC acknowledged and ValiMail’s own research confirms, most organizations aren’t doing such a great job at implementing DMARC correctly. ValiMail has found that roughly 70 percent of companies that attempt DMARC don’t complete the process, either leaving it in non-enforcement mode (p=none) or else implementing it incorrectly. That average applies regardless of company size, so the big enterprises don’t necessarily have an advantage over much smaller organizations.
That’s where ValiMail’s Email Authentication as a Service comes in. We provide a turnkey service that allows you to set up email authentication in a fraction of the time it would take to do it manually. Our service provides instant, one-click management so it’s trivially easy to add or remove whitelisted senders. And we provide detailed reports that are far easier to parse than the unformatted DMARC logs generated by mail gateways.