Have you put a DMARC policy in place? If not, you’re not alone. Four in every five companies aren’t using it. That’s a problem for an Internet beset by email fraud.
DMARC stands for domain-based message authentication, reporting, and conformance. It’s a protocol that tells email servers whether to accept an email, and an important tool in the war against spam, phishing, and business email compromise (BEC).
DMARC relies on two other protocols. Sender Policy Framework (SPF) tells an email server which IP addresses are authorized to send an email on their behalf. DomainKeys identified mail (DKIM) uses an encrypted signature to verify an email sender's identity. DMARC uses the output of these protocols to decide whether a message is legitimate, and apply policies to handle it.
In a report released this week, email analytics company 250ok likens DMARC to a vaccine.
“Increased support by the community builds herd immunity to impersonation and fraudulent messages designed to trick recipients into installing malware or providing information via a fake landing page,” it says.
Unfortunately, most of the herd isn’t vaccinating itself. The company analyzed 25,700 domains and found that 79.7% have no DMARC policy (which means no DMARC support).
Some sectors fared better than others. DMARC adoption in the US government’s executive branch was exemplary at 86.6%. As the report points out, this is probably because of the Department of Homeland Security’s Binding Operational Directive 18-01, published in October 2017, which mandated DMARC among federal agencies.
Conversely, the judicial and legislative branches are the worst performers with 17.3% and 13% adoption, respectively. Phishers stand a far better chance of hitting Congress or the courts than they do the White House or federal agencies.
Non-profits lagged behind even further, with just 8.6% adopting DMARC policies.
Legal firms have stepped up admirably. 57% of them had DMARC protection. That’s encouraging, as these companies are particular targets for hackers who want to access their clients’ sensitive secrets.
At 29%, DMARC adoption rates were also higher than average among Internet retailers, who are eager to protect their brands from phishers.
If you haven't put DMARC in place yet, then it's worth considering. It can help protect your company from malicious senders impersonating legitimate ones, and could help save you from malware infections and worse.