Lack of Dmarc email validation puts brands and customers at risk 

Adoption of the domain-based message authentication, reporting and conformance (Dmarc) protocol remains low, leaving brands and consumers at risk of phishing attacks.

This is the main finding of a study by email analytics and DMARC compliance firm 250ok, which analysed 17,000 domains and multiple industry verticals operated by e-retailers in the European Union (EU) and the US, higher education institutions in the EU, US and Canada, the top software-as-a-service (SaaS) companies and law firms worldwide, US non-profits and top Chinese brands.

Dmarc helps email domain owners to control how their email is processed, making it harder for criminals to spoof messages to appear as though they have come from a trusted address. But the study found that none of the industries reviewed had achieved majority Dmarc adoption, leaving email recipients and others at risk of harmful email-based attacks.

Chinese brands were found to be the worst offenders, with more than 95% of the top 100 having no Dmarc policy in place, followed by higher education institutions, 90.2% of which had no Dmarc protection.

EU and US e-retailers fared only marginally better, with 84.4% lacking a Dmarc policy, which means more than three-quarters of e-retailers studied leave their email and their customers at risk.

In the EU, only 1.6% of e-retailers had a “reject” Dmarc policy to block any email that fails the authentication test, while 2.5% had a “quarantine” policy for emails failing the authentication test and 11.5% had adopted Dmarc but had no set policy.

Dmarc allows a domain owner to understand where their legitimate email messages are originating from and be aware of any spoofing or phishing of their brands.

“The information an organisation can learn about their domain, the assistance it can provide to the brand’s reputation, and the ability to proactively be aware of potential threats against their brands make deploying Dmarc quite simply a must,” the report said.

A Dmarc “reject” policy protects recipients by requesting the malicious email be blocked from landing in the inbox, while a “quarantine” policy requests it is moved to a spam or similar folder, and a “none” policy allows the email to continue to the inbox.

Of the industries studied, non-profits saw the lowest Dmarc adoption, with 94.2% in the US having no Dmarc in place, closely followed by UK non-profits, where 92.7% had no Dmarc protection.

“The information an organisation can learn about their domain, the assistance it can provide to the brand’s reputation, and the ability to proactively be aware of potential threats against their brands make deploying Dmarc a must”

Law firms, the “leading” industry studied, had a 38% adoption rate, which means 62% are unprotected. SaaS companies followed a close second, with a 35% adoption rate, leaving nearly two-thirds unprotected.

Dmarc is considered the industry standard for email validation to prevent attacks in which malicious third parties send harmful emails using a counterfeit address.

Dmarc has been mandated for all US federal agencies and all UK government departments as part of the National Cyber Security Centre’s Active Cyber Defence (ACD) programme, which is aimed at increasing risk to cyber adversaries and reducing their return on investment to protect the majority of people in the UK from cyber attacks.

“In the months since the US Department of Homeland Security mandated that all federal agencies should achieve a Dmarc reject policy on all domains, we expected enterprises and NGOs [non-government organisations] to take the same steps to protect consumers,” said Matthew Vernhout, director of privacy at 250ok. “By failing to implement Dmarc, negligent brands worldwide are putting themselves and their customers directly in harm’s way.”

With the ever-evolving nature of email, the report said those organisations which chose to not get caught in the past should start with Dmarc.

The way to build Dmarc adoption is to focus on the genuine email aspect, according to Ed Tucker, CIO of DP Governance and former head of cyber security at HMRC.

“What marketing executive doesn’t want a guaranteed delivery rate of 98%? Put simply, Dmarc is a marketing dream come true,” he wrote in an article for Computer Weekly.

“The implementation of Dmarc can make marketing campaigns and genuine email far more effective, and that means a greater ROI. You can make email an effective communication channel again, because at the moment it is not,” he said.