Though you may never have heard of Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and email-authentication protocols, the people making sure the emails you receive are safe are quite familiar with them. These security measures have been around for more than 10 years, and presently their global adoption rate is quite respectable. In fact, thanks to SPF and DKIM, millions of users have dodged billions of malicious emails that would have otherwise ended up in their inboxes.
For example, Gmail reports the following adoption numbers for 2016:
- 86.8 percent of all received emails were signed according to DKIM.
- 95.3 percent of received emails came from Message Transfer Agent (MTA) servers using SPF.
- 85 percent of received emails were protected by both standards (SPF & DKIM).
Adoption of the more recent email authentication protocol, known as the Domain Message Authentication Reporting & Conformance protocol (DMARC) standard, is also slowly but steadily on the rise. Figures show that more than 162,000 email domains have implemented DMARC’s email rejection policy, which resulted in the complete blockage of millions of malicious messages impersonating legitimate domains for the purposes of sending out phishing scams.
The benefits of adopting DMARC are tangible, with the standard now becoming a mandatory regulatory issue in various countries. One such country is the UK, as described in our blog post: United Kingdom’s Decision to Mandate DMARC Compliance: Good for the Government, Great for the Public. The Federal Trade Commission in the US and the Australian Department of Defense have also released statements calling for organizations to implement DMARC.
However, despite the rising rates, adoption has not been as fast as it ideally would be. A clear example of this is that only 11 out of the 50 main American banks and nine out of the 50 largest European banks have deployed DMARC for blocking fraudulent emails.
The fraud risk increases as email domain impersonation schemes affect all industries, not just the financial or e-commerce sectors.
The reasons why DMARC’s adoption is not as fast as desired by its creators (in spite of its benefits) are obvious to anyone who’s ever tried to implement the protocol. One of biggest reasons is the lack of visibility and control organizations have over their internal and third-party domains.
Even though DMARC’s implementation is not rocket science, many organizations stop at the early monitoring-only policy (p=none), since they need to assess the risks related to the implementation and the lack of visibility of their email environment becomes an obstacle. So, what can they do? Below, you’ll find our recommendations for the seamless adoption of DMARC:
- Before deploying a DMARC policy, it is advisable to set either SPF or DKIM records, as DMARC validation relies on those two mechanisms. SPF is easier to deploy and works well in the monitoring stage, but when moving to more restrictive modes, both SPF and DKIM are necessary.
- Publish your DMARC records with the monitoring-only policy (p=none) for active and inactive domains. This will allow you access to the information you need to make informed decisions without changing the deliverability of your emails.
- Integrate a system for monitoring your email channel through DMARC-linked reports. The massive amount of data produced by the monitoring can be difficult to work through, so partnering with a provider such as Easy Solutions will help you use that information to accurately block messages that do not pass DMARC’s reject policy.
- Make sure the system provides visibility of all senders emailing messages on behalf of your organization to keep track of them and know their level of SPF/DKIM compliance. This will help you maximize the deliverability of your legitimate messages while preventing malicious or spoofed emails from reaching inboxes.
- Ensure that the implementation of DMARC is a collaborative effort – the success of the protocol impacts many different departments. A group effort, rather than a siloed system, is crucial in collecting all of the data necessary to successfully implement DMARC.
- The visibility provided should permit planning the controlled publication of more restrictive DMARC policies. With the successful implementation of a DMARC policy, your organization’s email communications will be more secure.