DMARC anti-phishing standard adoption is lagging even in big firms
We could cut down on e-mail spoofing, but we don't
Big-name companies are still leaving themselves and their customers open to phishing because they haven't implemented the DMARC message validation standard.
In this year's DMARC adoption report [PDF], phishing prevention specialist Agari reckons two-thirds of the Fortune 500 are yet to implement Domain-based Message Authentication, Reporting and Conformance (DMARC) yet.
Specified in RFC 7489 to combine Sender Policy Framework and DomainKeys Identified Mail techniques, DMARC's aim is to defeat e-mail spoofing. It was originally put forward by Google, Microsoft, AOL, Facebook, Yahoo!, PayPal and others.
Agric's data-gathering was straightforward: it analysed the DNS records of its targets – which also included companies on the Financial Times Stock Exchange 100 and the Australian Securities Exchange 100 – using its own DMARC record tool.
The FTSE 100 had the same non-adoption rate of 67 per cent, while Australian companies care even less, with 73 per cent having no DMARC policy record.
Even among those who are aware of DMARC, hardly any are using it for anything more than monitoring (25 percent of the Fortune 500, 26 per cent of the FTSE 100, and 23 per cent of the ASX 100).
“Quarantine” or “reject” only appeared in eight per cent of Fortune 500 companies, 7 percent of FTSE 100 companies, and four per cent of ASX 100 companies.
Agari reckons that's an open-door to e-mail spoofing, since the point of DMARC is that it both confirms a message came from the server it purports to come from, and creates a register of email systems used by spammers and scammers. To help things along, back in 2012 Agari made its Receiver Program free to try and encourage adoption.
The IT industry and telcos in particular can hang their heads in shame: apart from 21 per cent of US tech companies using DMARC, and a mere one per cent of US telcos, adoption is zero elsewhere (people, even Twitter thinks it's a good idea).
“Deploying a DMARC policy where p=none is simple, but it is only the first step. Organisations must Quarantine, Reject and maintain strong email governance to reap the benefits of DMARC”, the report concludes. ®