DMARC's abysmal adoption explains why email spoofing is still a thing
The benefits of deploying DMARC, an email security protocol meant to prevent email spoofing, the primary method used by hackers to transmit phishing emails and BEC scams, are still being overlooked by businesses worldwide.
According to a report that analyzed the DMARC policies deployed with 21,075 commercial and government domains, almost 79.7% do not use it.
The survey, conducted by email security and analytics firm 250ok, looked at domains from Fortune 500 companies, the US government, the China Hot 100, the top 100 law firms, international nonprofits, the SaaS 1000, education, e-commerce, and financial services, among other industries.
Because of the protocol’s importance, the poll focused on DMARC adoption.
WHAT IS DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication, reporting, and conformance protocol that runs on top of email servers that support the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
DMARC allows email server administrators to set policies that can detect when an incoming email “From:” address isn’t what it appears to be.
It’s the finest tool firms have right now for recognizing faked emails that appear to originate from an employee or contractor but are actually sent by a threat actor attempting to impersonate a legitimate sender.
DMARC ADOPTION STILL VERY LOW
Even though DMARC has been there for a long time, businesses are still not using it.
Because hackers can easily make their emails look convincing and pass them off as official communications, most businesses are still vulnerable to BEC attacks, phishing emails, and other types of email scams.
Although DMARC has been there for a long time, businesses are still not using it.
Because hackers can easily make their emails look convincing and pass them off as official communications, most businesses are still vulnerable to BEC attacks, phishing emails, and other types of email scams.
According to a November 2018 Agari research, half of Fortune 500 organizations support DMARC; however, only 13% of those companies have set up DMARC rejection policies, implying that the DMARC protocol was installed but not used to prevent spam, phishing, and scams from faked domains.
A quarter later, in February 2019, the percentage of Fortune 500 organizations actively using DMARC policy had risen to 15%. This was a modest increase, but it was still insufficient, as it left hundreds of the world’s largest corporations vulnerable to cyber-attacks.
DMARC ADOPTION IN CHINA LAGGING BEHIND
According to a recent 250ok poll, Fortune 500 businesses utilizing DMARC policies have increased to 23%. However, it is still quite low.
The SaaS 1000 sector, according to 250ok experts, had the best adoption, with 46 percent of enterprises utilizing DMARC.
The US government sector was another domain with a high level of DMARC policy acceptance, although not all of it.
In October 2017, the Department of Homeland Security (DHS) released Binding Operational Directive (BOD) 18-01, which directed US federal entities to apply a set of web and email security procedures, including DMARC.
According to 250ok, the US government’s executive branch appears to have taken the BOD seriously since 81.5 percent of.gov domains utilize a DMARC policy to prevent faked emails.
The legislative and judicial branches, on the other hand, were seriously behind in terms of DMARC adoption, with only 17.3 percent and 13.0 percent of their domains implementing DMARC policies to prevent faked emails, respectively, leaving government employees vulnerable.
However, DMARC is not frequently used outside of SaaS companies and some.gov domains. Furthermore, 250ok researchers discovered the lowest adoption rate in China, where only 6.5 percent of surveyed organizations used DMARC rules to protect against faked emails.
“While most Chinese people have email addresses, they prefer to communicate through one of their local social media platforms, such as WeChat or SMS, according to Quartz.com. This would further corroborate the notion that email is not a priority for enterprises or consumers in the region, and it would shed more light on the general lack of email authentication uptake.”
TANGIBLE BENEFITS ABOUND
While installing DMARC can be challenging because it also requires SPF and DKIM, the benefits to businesses that do so are substantial.
According to the FBI, BEC scams, the most common kind of cybercrime last year, cost US businesses approximately $1.3 billion in 2018.
In contrast, according to a report released in October 2018 by the Global Cyber Alliance, DMARC adoption helped organizations prevent losses from BEC schemes ranging from $19 million to $66 million in 2018.
While DMARC is difficult to set up, once it is, it can help businesses protect themselves from one of today’s most common forms of cybercrime.
DMARC may not be a panacea for all sorts of cybercrime, but it can significantly reduce hackers’ toolkits by eliminating “email spoofing.”
Source: https://cyber-security-information.blogspot.com/2021/08/dmarcs-abysmal-adoption-explains-why.html