DMARC Continues To Confound Users, Report Says

Relatively few companies are embracing DMARC email authentication, and of those that do, 75% of them aren't using it correctly or getting the enforcement benefit it was designed to deliver, according to a study released today by email security vendor ValiMail.

The company says it examined the email authentication policies of the S&P 500, Fortune 1000, NASDAQ 100, FTSE 100, and three groups from Alexa (top 10,000, 100,000 and 1 million sites). "DMARC adoption rates were below 50% for every measured segment, with percentages dipping into the single digits for some lists," according to ValiMail. Successful enforcement came in even lower, at 12%.

"We were surprised by the large number of companies having a hard time with DMARC," says ValiMail CTO Peter Goldstein. "We were also surprised by the consistency of the failure rate across the board -- you're not seeing an industry segment that's getting it mostly right." DMARC remains a challenge for companies of all sizes, regardless of their resources, he adds, in an interview with Dark Reading.

The Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) standards. Together, they enable domain owners to publish whitelists of approved senders, receive reports of senders attempting to use their domain names, and then block email from unapproved senders, a process also known as enforcement.

By adopting DMARC, organizations can blunt the impact of email-borne threats like phishing, ransomware, and other advanced attacks. DMARC also is supposed to help rein in "shadow IT" operations like unauthorized email distribution that can impact brand and undercut compliance efforts. The pairing of DMARC and email has been likened by some to SSL and ecommerce, which helped secure ecommerce transactions and fostered greater online use of credit cards.

But wrangling the back ends of email systems and their notoriously complex DNS tables isn't for the faint of heart. Goldstein acknowledges that DMARC is complicated to deploy, and partly explains why ValiMail developed an automated tool to simplify DMARC deployment.

"Getting DMARC configured is difficult for large and small companies," Goldstein tells Dark Reading. In addition to their own internal domains, organizations are likely to use some combination of Office 365, Gmail, MailChimp, Salesforce.com and other third-party email services. But it's a challenge to then retrofit them all with DMARC. "Knowing what a MailChimp DNS looks like isn’t something the average IT person does, and there are hundreds of these to parse," Goldstein adds.

Still, DMARC adoption is relatively robust, according to Dan Ingevaldsen, CTO of Easy Solutions, another security vendor. DNS monitoring using DMARC has gone from 20,000 domains to 70,000-80,000 domains in the last year. "It's a huge increase, but if you compare that to the Alexa 1 million, it's obviously a lot smaller," he says.

Some of the new top-level domains (TLDs) like .bank and .secure require deployment of DMARC to use services on those domains, Ingevaldsen added, and more domain providers or registrars request DMARC be deployed by default.

"With DMARC, you are trying to clean up a decentralized, complex environment that's existed for a long time," he explains. "It then becomes a question of visibility into environment: How do you secure what you don't fully understand, or when you don't know where everything is?" These are issues most large organizations grapple with regularly.

Ingevaldsen suggests that DMARC may follow a similar trajectory to the transition from intrusion detection to intrusion prevention. "DMARC has a graduated deployment, like going from IDS to IPS," he says. So, many organizations may be content to remain in monitoring-only mode for an extended period so they can see where emails are going and who's sending them. "Over time, you ratchet it up to reject fraudulent or malicious emails," he says. "This will take time to measure and get to a full blocking policy."

Other relevant data points from the ValiMail DMARC report:

Related Content: