The Use of DMARC is Growing — But it is Difficult to Configure Correctly and Completely
Valimail, an email security firm, has been looking at the incidence of fake emails. Not all emails, but just those that spoof the ‘From:’ line with a valid name and domain — that is, exact-domain sender spoofing. These are perhaps the most difficult to spot and the most dangerous, resulting in spear-phishing attacks leading to stolen credentials and BEC scams. PhishMe, now known as Cofense, claims that 91% of all cyber-attacks start with a phishing email, while Trend Micro has estimated that global BEC losses will exceed $9 billion this year.
A report from GreatHorn published at the end of July 2018 suggests that the majority of email users do not consider it to be a serious threat vector. GreatHorn’s CEO and co-founder Kevin O’Brien told SecurityWeek, “Sixty-six percent of all the people we interviewed said the only threat they saw in their inbox was spam.” The implication is that organizations must not rely on users to spot the difference between genuine and fake emails.
The problem leading to all fake emails is the lack of authentication security in the email application. All security has to be applied from the outside; but this has been done for exact-domain sender spoofing — DMARC, SPF and DKIM. Valimail’s analysis (PDF) of fake emails and DMARC examined a representative set of processed emails asking for DMARC or SPF authentication.
The good news is that in Q1 2018, 96.2% of emails using DMARC authentication were identified as legitimate. Not so good is that 1.5% failed DMARC, but were from senders known to be legitimate. The worrying figure is 2.3% of the DMARC emails failed DMARC and come from suspicious or malicious senders.
2.3% may seem a low percentage, but extrapolated, it suggests that 6.4 billion fake emails are sent every day.
The use of DMARC to prevent exact-domain sender spoofing is growing — but it is difficult to configure correctly and completely. Every single service that sends emails must be found and included, and the policy must be set to enforced. DMARC, using SPF or DKIM authentication, aligns the stated sender with the actual source. If the alignment fails, the domain owner can choose between doing nothing (let it go through anyway), send it to a spam folder, or delete it. The mail gateway performing the checks then reports the results to the domain owner or a designated agent.
Valimail finds that most companies that start to implement DMARC never quite fully succeed. The enforcement failure rate, for example, hovers around 75-80% for almost all organizations over the last three quarters. The one bright spot is U.S. federal agencies. Here the failure rate tumbled from 80% in Q3 2017 to 40% in Q2 2018.
Federal agencies have also bucked the norm in all other categories examined by Valimail. By multiplying the category’s DMARC usage rate with its enforcement success rate, Valimail comes up with a fraud protection rate. Federal agencies’ fraud protection rate has grown from 4% in in Q3 2017 to 43% in Q2 2018. The next best rate comes from the U.S. tech company category at less than 16% (global media companies fare worst at less than 4%).
Federal agencies are also ahead in DMARC usage. In Q3 2017, just 20% of agencies used DMARC. By Q2 2018, this had risen to more than 70%. Tech companies again come second, rising from just under 50% to just over 50% (and global media companies come bottom again at around 15%).
Valimail puts the huge improvement shown by federal agencies down to the DHS. “This is due directly to the Department of Homeland Security’s October 2017 directive requiring all executive-branch agencies to implement DMARC on a one-year timeline,” says the report. “Since the executive branch accounts for the vast majority of the 1,315 federal .gov domains, that directive, known as BOD 18-01, has had a huge impact on DMARC usage in this group.”
“Valimail’s research shows that fake email continues to be a major problem worldwide,” comments Alexander García-Tobar, CEO and co-founder of Valimail. He added: “There are encouraging signs of progress in the fight against fake email, starting with the U.S. federal government, where we’ve seen an unprecedented deployment of anti-impersonation technologies, thanks to a mandate by the Department of Homeland Security. There’s still a long way to go, but the DHS example shows that stopping email impersonation is both critical to our highest institutions and achievable.”