Surveying Anti-Phishing Standards – Part 2

By Marc Laliberte, Information Security Threat Analyst, WatchGuard Technologies

In our last article, we looked at three different technology standards that combat spam and phishing attacks. If you haven’t read the first installment of this two-part series yet, check it out now to familiarize yourself with some important terms we’ll use while exploring why these anti-phishing standards aren’t more widely used today.

Sender Policy Framework (SPF) was an open standard created to prevent sender address forgery in email envelope MAIL FROM headers. At around the same time, DomainKeys Identified Mail (DKIM) was developed to authenticate approved mail servers for a domain. Finally, Domain-based Message Authentication, Reporting, and Conformance (DMARC) was a solution crafted to tie SPF and DKIM together with added reporting functionality. All three of these technologies are great at helping to stop common forms of phishing. So, why haven’t they reached 100 percent adoption?

As it turns out, SPF and DKIM adoption are actually doing quite well with email senders. According to a 2016 report by Google, 95 percent of non-spam emails received by Gmail users came from senders with SPF records, and nearly 88 percent of non-spam emails employed DKIM signing. DMARC, however, is still struggling to take off. A Federal Trade Commission report earlier this year found that only a third of surveyed companies have published DMARC records and less than 10 percent of that group have configured their DMARC records to reject unauthenticated messages.

The good news is that DMARC adoption has been seeing modest improvements. According to the Online Trust Alliance (OTA), adoption for both DMARC record and rejection/quarantine grown over the past year (from 27.4 percent to 34.3 percent and from 5.8 percent to 14.6 percent, respectively), and that the Internet Retailer and Consumer categories were the lead adopters for both. Unfortunately, organizations in the Federal and ISP categories were the laggards for records adoption, and banks and federal groups were dragging their feet in rejection/quarantine adoption.

So, while there have been humble increases in DMARC adoption, the rates are still low; especially with compliance enforcement enabled. Why might this be? For one thing, it’s common for businesses to start with a DMARC solution configured with a “none” policy while testing, which means they don’t want recipient email servers to take any action against non-compliant messages. Businesses might choose to do this if they use third-party mailer services to send newsletters since DMARC can cause these messages to be denied if misconfigured. It’s certainly important to test policy changes in phases instead of diving right in at the risk of breaking something critical, like your company’s ability to send an email.

Here are three tips that can help you properly set DMARC policies:

• First, test with a “none” policy. Mailboxes that support DMARC should still send reports on messages that fail DKIM and SPF checking. This can help you identify legitimate email sources from your domain that you may have overlooked.
• Make sure you follow the correct syntax when configuring your DMARC DNS record. Dmarc.org has a wide range of tutorials and guides that can help you with this.
• Once you have finished testing your DMARC record, change the policy to “reject” or “quarantine” to instruct recipient mailboxes on how to handle spoofed messages from your domain.

Configuration issues aren’t the only obstacle here. DMARC also suffers somewhat from the “chicken or the egg” conundrum. Some companies wonder why they should invest precious resources into testing and deploying DMARC records for their domain when recipient mail servers don’t bother verifying emails against them. It is commendable that DMARC’s adoption rate was 60 percent by mailboxes after just one year, but that percentage has only grown by 10 percent as of 2016 according to a recent report by Return Path. DMARC verification by recipient servers must increase as well, in order to help slow the growing epidemic of spam and phishing.

It is in everyone’s best interest to fully adopt protocol standards like SPF, DKIM, and DMARC. While they may take some effort to deploy, the benefits are more than worth it. Preventing spammers from spoofing your company’s domain can help you avoid costly reputation damage and shield your customers from annoying, potentially malicious emails. Enabling DMARC verification on your own mailboxes for incoming messages can also drastically reduce your chances of falling for convincing phishing attacks.

About the Author
Marc Laliberte is an Information Security Threat Analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc’s day-to-day responsibilities include researching and reporting on the latest information security threats and trends. He has discovered, analyzed, responsibly disclosed and reported on numerous security vulnerabilities in a variety of Internet of Things devices since joining the WatchGuard team in 2012. With speaking appearances at industry events and regular contributions to online IT, technology and security publications, Marc is a thought leader who provides insightful security guidance to all levels of IT personnel.