Natalia Merzlyakova - Fotolia

Slow adoption of DMARC policy leaves email vulnerable, vendor says

A new study finds that enterprises, especially healthcare companies, are slow to adopt the DMARC email authentication standard, making them vulnerable to malicious emailers.

A new study has shown that enterprises have been slow to adopt contemporary email authentication standards. While one expert claims those standards are complex and not always effective, not implementing them could make an organization a target for malicious emailers.

San Mateo, Calif.-based security analytics firm Agari Data Inc. has released its State of Email Trust 2014 report, in which it found that more than 75% of enterprises haven't fully implemented the DMARC policy for email authentication standard, whichconsidered essential to ensure a secure email message exchange.

Rising attacks and lagging security

In its report, Agari analyzed more than 6.5 billion emails each day of 2014 and surveyed 147 companies across 11 industries. Agari found that email attacks were unpredictable in terms of when they happened and the severity of the attacks, but the primary targets of such attacks were healthcare and banking customers. According to Agari, Q1 and Q2 saw U.S. banks targeted, but in Q3, the spoofing attacks began targeting European banks at a much higher rate.

Agari found that the most unprotected industry was healthcare, where 30% of companies surveyed were found to have no email authentication protections implemented. Additionally, emails that appeared to come from healthcare companies were four times more likely to be fraudulent than emails from social media companies like Facebook.

"Social media companies have core competencies that revolve around online communication," said Mike Jones, director of product management at Agari. "It's no surprise that those companies are more aware of these standards and are early adopters."

In the report, Agari showed that electronic retailers like Newegg Inc. or Netflix Inc., and e-payment companies like Western Union received higher ratings for what email authentication standards were implemented, while European banks and "large" American banks were near the bottom. American "mega" banks, like Chase and Capital One, were found to be in the middle of the ratings, but overall Agari found 75% of companies to be at risk of email spoofing.

Email authentication evolution

Email authentication security has been a long battle, said Mike Jones, director of product management at Agari. When the SMTP email standard was created in the 1980s, there was no concept of authentication, meaning someone sending an email could claim to be anyone. Jones said that this is a big reason why spoofing and phishing attacks became so popular.

In the 2000s, email authentication standards came into being, starting with the Sender Policy Framework (SPF), which authenticated the email sender domain, and DomainKeys Identified Mail (DKIM), which added a digital signature to sent emails. Jones said that these layers of protection were a good start, but the problem then became a matter of reporting.

"Once a domain sent an email, there was no feedback mechanism from the receiver," Jones said. "So, there was no way to know if the receiver checked the DKIM signature, and no way to tell the receiver to perform that check."  

This led to the creation of the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard, which added feedback reporting, and prevents cybercriminals from sending phishing attacks that appear to come from a protected domain. However, Jones said that DMARC is only about three years old, so many companies still aren't aware of it, and few have implemented the standard in order to protect against malicious emailers.

DMARC: Protection vs. degree of difficulty

Agari did find that an increasing number of enterprises are implementing DMARC, with 13 companies surveyed found to have full implementation of DMARC best practices, up from just 7 companies in 2013. Jones said that more email appliance vendors are making DMARC available in implementations, and the big consumer receivers like Google, Microsoft and Yahoo have implemented the standard, meaning more than 70% of consumer inboxes around the globe are DMARC-enabled.

Jones said that the best practice is to have all three standards -- SPF, DKIM and DMARC – implemented, and have strong policies set in order to block uncertified emails from being sent to customers. However, as a start, Jones said that companies can implement DMARC in order to get a policy monitor report, which can then be used to focus actions on implementing SPF and DKIM and setting stronger policies.

Peter Firstbrook, vice president of research at Stamford, Conn.-based research firm Gartner Inc., said implementing email authentication is easier said than done.

Firstbrook agreed that one major reason for the low adoption of DMARC is because of the relative youth of the standard, but also noted that properly implementing SPF and DKIM in the enterprise can be a major headache.

"Receivers are uneasy about using a failed SPF or DKIM check as a reason to block an email," Firstbrook said. "It is still too hard to tell if those checks fail because it is a spoof or because it is a bad implementation of the standards."

Firstbrook said that even if implemented correctly, SPF isn't a foolproof indicator that an email shouldn't be trusted. He said that it should raise suspicion if SPF fails, but if nothing else about the message raises suspicion, it will still be delivered. Similarly, SPF can help stop malicious emails that appear to be sent from an official domain, but it doesn't help stop emails from an intentionally misspelled domain (e.g. rather than

Another reason why it is difficult to put SPF in place, Firstbrook said, is because the number and point of origin of email servers can change quickly, and the SPF domain log may not be updated. For example, he said that any time the marketing department hires a company to do a campaign, that log must be updated to include the IP addresses of those email servers. Without these policies in place, Firstbrook said that DMARC doesn't do much good.

"[The use of] DMARC says that you are confident in DKIM and SPF and want a 'hard block' when those checks fail," said Firstbrook said. "Beyond that, there needs to be more transparency to alert the recipient when DMARC is confirmed or fails. If users could decide trustworthiness, DMARC would be more useful."

Despite those challenges, Agari found that each quarter of 2014 saw an increase in the DMARC implementation rates. The biggest barrier for enterprise adoption, according to Jones, is simply lack of awareness; organizations don't yet know the value it offers.

"The amount of work required to implement these standards is based on complexity of systems," Jones said. "The processes to implement them are well-defined, and there's no real secret. Companies just need to be aware that these protections are available."

Next Steps

Learn how to improve security with DMARC email authentication

Dig Deeper on PKI and digital certificates