On DMARCs, Get Set, Stop…

25 Jun 2020

You may recall that last October, we wrote about OnDMARC (‘On DMARC, Get Set, Go…’) who are, in their own words ‘a cloud-based application that enables organisations to quickly configure SPF, DKIM and DMARC for all their legitimate email sources. This instantly blocks any email impersonation-based phishing attacks.’

Just to refresh you, DMARC, or Domain-based Message Authentication, Reporting and Conformance is an open-source email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorised use, commonly referred to as ‘email spoofing.’

It’s sole purpose in life is to protect a domain (for example britishairways.com) from being used in business email compromise (BEC) attacks, phishing emails, email scams and other cyber threats.

It’s a no-brainer isn’t it? As we may have mentioned, over 90% of email attacks are based on fake sender identities either of brands (83%+) or individuals (7%+). There is one type of impersonation – known as exact-domain impersonation – that occurs when the cyberbaddies use a domain in the “From” field of the message that is actually owned by the business they’re impersonating. But this type of impersonation can be stopped by DMARC.

Put simply, email authentication – the verification that an email really does come from the domain it says it comes from – is based on a set of widely accepted standards. In fact over 80% of the world’s inboxes check to see that the sender is permitted to use the address in the ‘From’ field.

In fact, DMARC (and its underlying technologies of SPF and DKIM) are now so widely recognised as best practice that the Netherlands (comply-or-explain) and California (SIMM 5315-A) have mandates requiring their use. Back in 2017, the US Federal Trade Commissions published a report promoting the widespread adoption of DMARC, concluding that ‘businesses can help reduce the number of phishing email messages and protect their reputations by fully implementing the low cost, readily available email authentication solutions.’

So we ask the question, if DMARC will protect your domain from imposters, it’s available everywhere and doesn’t cost a fortune…


Why Are Adoption Levels So Abysmally Low?


‘Given the information available on the risks associated with leaving your domain unprotected, it’s shocking the number of brands that still don’t understand the importance of DMARC’
Matthew Vernhout, Director of Privacy, 250ok

Let’s open with some rather damning statistics (correct up to the start of 2020) on the state of DMARC adoption, hand-picked from Valimail’s Email Fraud Landscape Report

  • 934,000 websites were using DMARC records (up 70% year-on-year)
  • Of the 1.7bn web domains, that represents just 0.05%
  • Only 13% of those using DMARC records are configured with enforcement policies*
  • In the UK, only four of the top 10 online retailers have top level DMARC protection
  • Only 20% of the biggest US companies have effective DMARC implementations

*Without enforcement policies, mail receivers will take no meaningful action against domain-impersonating emails that fail authentication, such as rejecting or quarantining suspect messages.

‘The good news is that DMARC adoption rates are better than in previous years, however the bad news is that the needle is moving too slowly to make a difference.’ Catalin Cimpanu, ZDnet.com


The Obstacles In The Way


Dan Levinson, Senior Technical Account Manager of dmarcian (the clue to what the business does is in the name) is an advocate of DMARC (as are we at Koncise) but he understands the obstacles to widespread adoption of what – on the surface – is something every SME through to enterprise domain owner needs to be doing.

Note: When Mr Levinson refers to ‘email sources’, a source is what he calls any company that offers its clients the ability to send emails with their own domain.

Email sources have excelled in providing their customers with options for SPF, DKIM and DMARC deployment but there appears to be little direction or guidance provided by many of them. ‘Often, DMARC is only listed as an option without the broader context of its inherent value and benefits.’

It is important that tech is flexible and on one hand he commends sources for making DMARC accessible but on the other, he isn’t best pleased with them since they don’t play a more active role in suggesting it and making their end-users more mindful of it.

The assumed challenge for email sources is that they are operating in an exceptionally competitive market environment and they work extremely hard to take away any obstacles their customers might run into sending emails on their platform. ‘Matters of authentication and collaborating with peers residing over DNS are often met with challenges related to change-management authority, gaps in understanding and priorities. To combat these obstacles, many sources have elected to make basic email authentication optional.’

Notwithstanding anything else, with the ever-increasing adoption of marketing automation emails, the sender probably won’t have a direct relationship with the source sending the message. What DMARC does is expose these gaps and affords domain admins the necessary visibility to bring about improved authentication coverage.


Better, More Secure Email Is A Collaboration


Who remembers the term ‘netizen?’

It was coined in the Usenet groups in the 1990s by an Internet theorist called Michael Hauben. Hauben pioneered the study of the social impact of the Internet and, so wrote cultural anthropologist Shirley Fedorak ‘identified a new form of citizenship emerging from widespread use of the Internet.’

He described the word netizen thus:

‘These people understand the value of collective work and the communal aspects of public communications. These are the people who discuss and debate topics in a constructive manner, who e-mail answers to people and provide help to new-comers, who maintain FAQ files and other public information repositories, who maintain mailing lists, and so on. These are people who discuss the nature and role of this new communications medium.’

We’ve digressed slightly but we’re getting to the point. Email is a unique medium. No-one really owns it yet we all use it and it remains dependent on the good faith and collaborative efforts of many to make it work for all. The same goes for DMARC and its underlying technologies. As open-source protocols, they’re not owned by anyone but they increase the reliability of email as a communication medium.

‘We all benefit from better email; ultimately, it is in everyone’s best interest (sources, businesses, governments and individuals) to adopt a good netizen attitude toward it. Only through cooperation, collaboration and education will the dependability, trustworthiness and longevity of email be ensured.’

In true Churchillian oratorical style, ‘We must all play our part, we must give more of our energy, our creativity, our ingenuity and our good management. We must toil. We must draw upon our collective spirits. We must make email safe for all.’

Contact us today on info@koncisesolutions.com or call 020 7078 0789 and we’ll talk cloud and email security, communications platforms, cutting-edge IT solutions or what you’d rather do – see one hour into your own future or see one hour in the future of anyone but yourself?


Koncise Solutions

Go Back