Feb 23, 2017

Even Cyber Security Leaders Struggle With Email Safety

Using sender identity to stop phishing

RSA is one of the largest cybersecurity providers in the world, and its annual conference in San Francisco, happening this week, draws tens of thousands of attendees. People come from all over the world to see the latest advances in cybersecurity from more than 500 exhibitors and hundreds of expert speakers.

RSA represents the cutting edge of security in many ways. And there’s no doubt that the companies who exhibit and sponsor the event are leaders in the security space.

That’s why it’s surprising to see that so few of these companies are actually using the latest and most powerful email authentication tool: the open DMARC standard.

We used Valimail’s domain checker to examine the email authentication status for RSA’s 62 sponsors, from the “Diamond” level all the way down to “Bronze.” What we found was that only one company — Microsoft — had implemented DMARC correctly and set it to enforcement mode.

Of the remaining domains, 4 had DMARC records with configuration errors, one was set to limited enforcement, and 15 were set to no enforcement (p=none).

That leaves 41 RSA sponsors who have no DMARC records at all.

The sponsor cohort is doing better when it comes to SPF, with 41 correctly-configured SPF records, 17 who have published records with errors, and only four who have no SPF record at all.

Why Does Email Authentication Matter?

Without authentication, it’s trivially easy for fraudsters to forge an email an make it appear like it’s coming from your bank, a tech company, or some other trusted entity: All they have to do is put the company’s email address in the From field of their email message.

Email authentication stops that kind of fraud, by giving mail servers tools to validate email messages they receive.

DMARC is the most powerful of those tools: It’s an open standard that helps email servers determine whether incoming email is coming from a server authorized by the domain shown in the From field.

It is supported by 85 percent of consumer email inboxes in the U.S., including those from Gmail, Microsoft Hotmail/Live.com mail, Yahoo, AOL, and other. There’s no more effective way to prevent same-domain phishing (emails from fraudsters impersonating a company by using its domain name in the From: or Reply-to: field of their faked emails). Since phishing is one of the leading ways that hackers gain entry into target networks, DMARC has enormous potential to increase overall cybersecurity.

Indeed, the industry is embracing email authentication. Research by Farsight shows that DMARC implementation on the sender side (by corporate domains) is increasing exponentially. But due to the complexity of the standard (and limitations in its associated standards, DKIM and SPF), there is a roughly 70 percent failure rate among all companies attempting to implement DMARC. Many publish DMARC records with errors, or publish a DMARC record but don’t ever turn on the enforcement benefits it provides.

Cybersecurity companies are not doing much better, as we have found. But don’t just take our word for it. A study by the Global Cyber Alliance released this week found that, of the 587 email domains used by companies exhibiting at RSA, only 15 percent had set up a DMARC record. What’s more, the GCA found, of the 90 domains that do have a DMARC record, only 65 had it set to monitoring-only mode (p=none), which means there is no enforcement whatsoever. Only 25 domains in all had specified that emails failing authentication should be sent to spam (p=quarantine) or deleted (p=reject).

We agree with the GCA (of which we’re a member) that “It is time for the cybersecurity industry to lead the charge and push for DMARC use across the globe.”

“As world leaders in cybersecurity, we can do better,” said Philip Reitinger, President and CEO of GCA. We agree.

Subscribe to our newsletter