Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/1/2016
12:38 PM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

DMARC Continues To Confound Users, Report Says

Almost three-quarters of those who deploy email authentication standard fail to get its full benefits, ValiMail says.

Relatively few companies are embracing DMARC email authentication, and of those that do, 75% of them aren't using it correctly or getting the enforcement benefit it was designed to deliver, according to a study released today by email security vendor ValiMail.

The company says it examined the email authentication policies of the S&P 500, Fortune 1000, NASDAQ 100, FTSE 100, and three groups from Alexa (top 10,000, 100,000 and 1 million sites). "DMARC adoption rates were below 50% for every measured segment, with percentages dipping into the single digits for some lists," according to ValiMail. Successful enforcement came in even lower, at 12%.

"We were surprised by the large number of companies having a hard time with DMARC," says ValiMail CTO Peter Goldstein. "We were also surprised by the consistency of the failure rate across the board -- you're not seeing an industry segment that's getting it mostly right." DMARC remains a challenge for companies of all sizes, regardless of their resources, he adds, in an interview with Dark Reading.

The Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) standards. Together, they enable domain owners to publish whitelists of approved senders, receive reports of senders attempting to use their domain names, and then block email from unapproved senders, a process also known as enforcement.

By adopting DMARC, organizations can blunt the impact of email-borne threats like phishing, ransomware, and other advanced attacks. DMARC also is supposed to help rein in "shadow IT" operations like unauthorized email distribution that can impact brand and undercut compliance efforts. The pairing of DMARC and email has been likened by some to SSL and ecommerce, which helped secure ecommerce transactions and fostered greater online use of credit cards.

But wrangling the back ends of email systems and their notoriously complex DNS tables isn't for the faint of heart. Goldstein acknowledges that DMARC is complicated to deploy, and partly explains why ValiMail developed an automated tool to simplify DMARC deployment.

"Getting DMARC configured is difficult for large and small companies," Goldstein tells Dark Reading. In addition to their own internal domains, organizations are likely to use some combination of Office 365, Gmail, MailChimp, Salesforce.com and other third-party email services. But it's a challenge to then retrofit them all with DMARC. "Knowing what a MailChimp DNS looks like isn’t something the average IT person does, and there are hundreds of these to parse," Goldstein adds.

Still, DMARC adoption is relatively robust, according to Dan Ingevaldsen, CTO of Easy Solutions, another security vendor. DNS monitoring using DMARC has gone from 20,000 domains to 70,000-80,000 domains in the last year. "It's a huge increase, but if you compare that to the Alexa 1 million, it's obviously a lot smaller," he says.

Some of the new top-level domains (TLDs) like .bank and .secure require deployment of DMARC to use services on those domains, Ingevaldsen added, and more domain providers or registrars request DMARC be deployed by default.

"With DMARC, you are trying to clean up a decentralized, complex environment that's existed for a long time," he explains. "It then becomes a question of visibility into environment: How do you secure what you don't fully understand, or when you don't know where everything is?" These are issues most large organizations grapple with regularly.

Ingevaldsen suggests that DMARC may follow a similar trajectory to the transition from intrusion detection to intrusion prevention. "DMARC has a graduated deployment, like going from IDS to IPS," he says. So, many organizations may be content to remain in monitoring-only mode for an extended period so they can see where emails are going and who's sending them. "Over time, you ratchet it up to reject fraudulent or malicious emails," he says. "This will take time to measure and get to a full blocking policy."

Other relevant data points from the ValiMail DMARC report:

  • DMARC failure rate ranged from 62% to 80%, and had no correspondence to the organization's size; large organizations were as likely to fail at authentication as small ones.
  • DMARC adoption rates were less than 50% for every measured segment, with single-digit percentages for some entities.
  • The NASDAQ 100 checked in with the highest volume of attempted email authentication: 43%; smaller companies are less likely to authenticate, ValiMail finds.

Related Content:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ConL514
50%
50%
ConL514,
User Rank: Apprentice
12/7/2016 | 5:12:02 AM
DMARC adoption
The lack of adoption of DMARC. is not its complexity but rather a lack of understanding and interpretation of the results. For me it's equivalent to baking a cake as opposed to building a car engine. I might be biased by saying that the dmarcian dashboard is the best but I consider myself a cook and not an automotive engineer !!
pitrh
50%
50%
pitrh,
User Rank: Apprentice
12/2/2016 | 8:43:31 AM
The whitelisted senders feature needs clarification
The article states that DMARC allows "enable domain owners to publish whitelists of approved senders" - it is important to keep in mind that "senders" here denotes IP addresses only, not email addresses.

One rather irritating and actually quite bizarre misfeature of the spec for the DMARC reports is that the specification authors appear to think the from: address to be irrelevant.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7088
PUBLISHED: 2019-05-23
Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010.20098 and earlier, 2017.011.30127 and earlier version, and 2015.006.30482 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7096
PUBLISHED: 2019-05-23
Adobe Flash Player versions 32.0.0.156 and earlier, 32.0.0.156 and earlier, and 32.0.0.156 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2019-7098
PUBLISHED: 2019-05-23
Adobe Shockwave Player versions 12.3.4.204 and earlier have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2019-7099
PUBLISHED: 2019-05-23
Adobe Shockwave Player versions 12.3.4.204 and earlier have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2019-7100
PUBLISHED: 2019-05-23
Adobe Shockwave Player versions 12.3.4.204 and earlier have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.