DMARC Implementation Lags as Email Fraud Surges

As spam dominates email traffic, most domain owners still have not attempted to implement fraud protection through the latest and most complete form of protection, DMARC.

DMARC, or Domain-based Message Authentication, Reporting and Conformance, is a standard that ensures only authorized senders can use an organization’s domain name in their emails.

ValiMail’s 2017 Email Fraud Landscape Report shows that email fraud is a pervasive threat: One in five messages sent today come from unauthorized senders, many representing fraudulent activity. Yet, virtually all domains lack adequate protection. Just 0.5% of the top million domains have protected themselves from impersonation by email authentication, leaving 99.5% vulnerable, the report found.

Over three-fourths (76%) of the world’s email inboxes support DMARC and will enforce domain owners’ authentication policies, if those policies exist. However, incorrect DMARC deployments often prevent email protection. Over three-fourths (77%) of domains that have deployed DMARC records remain unprotected from fraud, either through misconfiguration or by setting a permissive DMARC policy. Overall, only 15% to 25% of companies that attempt DMARC succeed at achieving protection from fraud, depending on category.

“Email has been weaponized by hackers as the leading way to infiltrate networks, and the vast majority of businesses are leaving themselves vulnerable by either incorrectly configuring their authentication systems or forgoing protection entirely,” said Alexander García-Tobar, CEO and co-founder of ValiMail. “Businesses are asking their employees to complete an impossible task: identifying who is real and who is an impersonator, by closely examining every message in their inboxes. The only sustainable solution is for companies to take control of their email security at the technology level and stop placing the onus on employees to prevent phishing attacks.”

The report postulated that implementing email authentication would save the average company $8.1 million per year in cybercrime costs—$16.2 billion annually across the Fortune 2000.

“ValiMail’s research demonstrates the volume of email fraud threats faced by companies today and highlights the alarming lack of understanding of how to combat these threats,” said Shehzad Mirza, the director of operations for the Global Cyber Alliance. “These findings highlight that a lack of email authentication is the most prevalent security vulnerability companies face. In order to truly protect our inboxes, we must drive greater adoption of cybersecurity technologies and protocols such as DMARC.”

The good news is that DMARC’s influence and adoption rates are steadily growing. In October 2017, the Department of Homeland Security announced it would begin requiring federal agencies to implement DMARC within 90 days. Right now, only 38% of the top government agencies have DMARC records and only 14% have reject/quarantine enforcement in advance of the of January 14, 2018 deadline, the report added. 

What’s Hot on Infosecurity Magazine?