Adopted enthusiastically by big Internet companies from 2012 onwards, DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the latest email security technology that turned up in the nick of time.
Email was beset by phishing, address spoofing, and the complexity of getting previously well-intentioned attempts — DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) — to overcome email malevolence and function in a way that didn’t weigh down companies trying to implement them.
Five years on, it’s a statement of the obvious that phishing and some forms of address spoofing are still a menace for both email users and senders alike which raises obvious questions: did DMARC change anything and, if so, was it enough?
Let’s start by offering praise where it’s due. The philosophy behind DMARC was a model of how to do Internet security. Dealing with a threat built to crawl around the large cracks in email authentication was going to need something big to match. The only option was to build DMARC at scale, which is why major players PayPal, Google, and Comcast were prominent figures. By launch, that list expanded to include every significant Internet company.
DMARC was pushing at an open door. For the first time, organisations using DKIM and SPF could add a policy to their DNS records that told others how to treat email failing their security criteria. Importantly, it provided a feedback mechanism for recipients to tell senders what was being received in their name, essential for domain owners that wanted to gain intelligence on email spoofing.
Since then, DMARC has spread deep into Fortune and FTSE 100 brands, including Bank of America, Walmart, and British Airways to name only a few. In 2015, Edward Tucker, head of cybersecurity for Britain’s HMRC national tax service – a serial target for phishing scams – described it as the “cornerstone of technical controls that commercial senders can implement today to rebuild trust and retake the email channel for legitimate brands and consumers.”
Organisations implementing it proclaimed big drops in phishing traffic. By 2016, one survey found that 29 percent of 1,000 global brands were using DMARC, a 22% rise over the previous year. The adoption rates for the US portion of the sample was a decent 42%.
Job done – or perhaps not
A second report from later in 2016 offers a less flattering view. After analysing domains from the top one million trafficked sites on Alexa, only 2.3% had made any attempt to implement DMARC authentication. The percentage for Fortune 1000 companies was 16.2%, of which only 3.8% rated it as “successful”.
As big targets for phishing (and ones with better resources), it’s not a surprise that larger companies were more likely to have adopted DMARC. But what stood out were the number using DMARC in a partial ‘monitoring mode’ which would still allow unauthenticated email to be delivered. It’s as if companies are frightened to turn it on for fear of the consequences
There are various reasons for this such as the technical demands it places on organisations that remain nervous about DKIM and SPF let alone DMARC. The technology is also toothless without enforcement which not everyone gets around to.
Another problem is that phishing criminals have evolved to exploit a broader set of weaknesses in email, especially mobile clients. One technique is leave the sending address untouched but spoof the address displayed by some clients instead. More advanced still, is to register domains that are similar to the domain being impersonated and then send them through servers offering DKIM/SPF authentication. Both approaches might sneak pass servers not set up strictly enough, leaving DMARC mute.
In fairness, DMARC was never intended to be a panacea, simply to add a tool to a chest with far too few to reach for. Harder to explain is the apparent lack of urgency among medium and smaller organizations which, the figures suggest, persist in seeing email authentication with DMARC as someone else’s problem.
It could simply be that even though organizations still heavily depend on email, they’ve lost interest in it, preferring to sink their security investment elsewhere. This bodes ill for DMARC take-up and might require large enterprises to attempt to enforce email authentication across their suppliers as well as themselves. It’s a tall order. As ever, the barriers to improving security are cultural and economic as much as technical.