Connect with us

Hi, what are you looking for?


Email Security

DMARC Use is Growing, But Difficult to Configure Correctly and Completely

The Use of DMARC is Growing — But it is Difficult to Configure Correctly and Completely

The Use of DMARC is Growing — But it is Difficult to Configure Correctly and Completely

Valimail, an email security firm, has been looking at the incidence of fake emails. Not all emails, but just those that spoof the ‘From:’ line with a valid name and domain — that is, exact-domain sender spoofing. These are perhaps the most difficult to spot and the most dangerous, resulting in spear-phishing attacks leading to stolen credentials and BEC scams. PhishMe, now known as Cofense, claims that 91% of all cyber-attacks start with a phishing email, while Trend Micro has estimated that global BEC losses will exceed $9 billion this year.

A report from GreatHorn published at the end of July 2018 suggests that the majority of email users do not consider it to be a serious threat vector. GreatHorn’s CEO and co-founder Kevin O’Brien told SecurityWeek, “Sixty-six percent of all the people we interviewed said the only threat they saw in their inbox was spam.” The implication is that organizations must not rely on users to spot the difference between genuine and fake emails.

The problem leading to all fake emails is the lack of authentication security in the email application. All security has to be applied from the outside; but this has been done for exact-domain sender spoofing — DMARC, SPF and DKIM. Valimail’s analysis (PDF) of fake emails and DMARC examined a representative set of processed emails asking for DMARC or SPF authentication.

The good news is that in Q1 2018, 96.2% of emails using DMARC authentication were identified as legitimate. Not so good is that 1.5% failed DMARC, but were from senders known to be legitimate. The worrying figure is 2.3% of the DMARC emails failed DMARC and come from suspicious or malicious senders.

2.3% may seem a low percentage, but extrapolated, it suggests that 6.4 billion fake emails are sent every day.

The use of DMARC to prevent exact-domain sender spoofing is growing — but it is difficult to configure correctly and completely. Every single service that sends emails must be found and included, and the policy must be set to enforced. DMARC, using SPF or DKIM authentication, aligns the stated sender with the actual source. If the alignment fails, the domain owner can choose between doing nothing (let it go through anyway), send it to a spam folder, or delete it. The mail gateway performing the checks then reports the results to the domain owner or a designated agent.

Valimail finds that most companies that start to implement DMARC never quite fully succeed. The enforcement failure rate, for example, hovers around 75-80% for almost all organizations over the last three quarters. The one bright spot is U.S. federal agencies. Here the failure rate tumbled from 80% in Q3 2017 to 40% in Q2 2018.

Advertisement. Scroll to continue reading.

Federal agencies have also bucked the norm in all other categories examined by Valimail. By multiplying the category’s DMARC usage rate with its enforcement success rate, Valimail comes up with a fraud protection rate. Federal agencies’ fraud protection rate has grown from 4% in in Q3 2017 to 43% in Q2 2018. The next best rate comes from the U.S. tech company category at less than 16% (global media companies fare worst at less than 4%).

Federal agencies are also ahead in DMARC usage. In Q3 2017, just 20% of agencies used DMARC. By Q2 2018, this had risen to more than 70%. Tech companies again come second, rising from just under 50% to just over 50% (and global media companies come bottom again at around 15%).

Valimail puts the huge improvement shown by federal agencies down to the DHS. “This is due directly to the Department of Homeland Security’s October 2017 directive requiring all executive-branch agencies to implement DMARC on a one-year timeline,” says the report. “Since the executive branch accounts for the vast majority of the 1,315 federal .gov domains, that directive, known as BOD 18-01, has had a huge impact on DMARC usage in this group.”

“Valimail’s research shows that fake email continues to be a major problem worldwide,” comments Alexander García-Tobar, CEO and co-founder of Valimail. He added: “There are encouraging signs of progress in the fight against fake email, starting with the U.S. federal government, where we’ve seen an unprecedented deployment of anti-impersonation technologies, thanks to a mandate by the Department of Homeland Security. There’s still a long way to go, but the DHS example shows that stopping email impersonation is both critical to our highest institutions and achievable.”

Related: The Disconnect Between Understanding Email Threats and Preventing Them 

Related: DMARC Implemented on Half of U.S. Government Domains 

Related: DMARC Adoption Low in Fortune 500, FTSE 100 Companies 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...