DMARC should be catnip for email security – why aren’t firms using it?

When DMARC (Domain-based Message Authentication, Reporting, and Conformance) launched in 2012, it looked to some as if the Utopia of a fully “authenticated email world” was out there.

It’s a mouthful to say and, apparently, it’s been a handful to implement with new figures suggesting that DMARC’s promised land remains elusive.

Despite strong backing at launch from Microsoft, Facebook, Google, Yahoo and PayPal, only a measly 39 of Fortune 500 companies have implemented a DMARC policy for their domains.

That leaves 124 using it in the passive “none” monitoring mode (in other words, simply watching how other DMARC domains are treating their email) and 337 who haven’t bothered at all.

Sectors that have got the DMARC memo are overwhelmingly in technology, finance and business services, leaving aerospace, energy and engineering with tiny levels of take-up.

But even in tech and finance, uptake is patchy, which seems odd given that these are the sectors most targeted by cybercriminals phishing and spoofing well-known domains for all sorts of bad reasons.

Things aren’t much better in London’s FTSE 100, the survey found, with two thirds of companies lacking DMARC in any form and only six using it in its full “reject” flag glory.

It should be catnip for email security teams, so what’s going wrong?

Earlier this summer, an exasperated US senator even sent an open letter to the Department of Homeland Security (DHS), asking why so many US government domains weren’t using DMARC, to everyone’s detriment.

The problem is DMARC isn’t catnip for email security teams at all – far from it.

DMARC is as a way for companies using email domains to define a policy that tells other domains how to treat email claiming to be from them.

Using Sender Policy Framework (SPF) and DomainKeys Identified Message (DKIM) protocols for IP address and encrypted key authentication, DMARC gives a receiving domain guidance on what to do if an email – a phishing attempt for instance – fails these tests.

DMARC, then, gives domain owners a way to receive detailed reports on abuse of their domains by fraudsters, which helps them protect the people they want to send emails to.

Obviously, this works best when everyone does it. If not enough companies adopt DMARC then the view companies have of abuse is only ever partial.

If DMARC is like the wisdom of the crowd, it has drawbacks. For a start, it needs a lot of experience to implement without causing the sort of problems that ends with email admins being told to clear their desks. Limitations in the ageing SPF protocol don’t help either.

Did we mention that DMARC can be time-consuming to administer when using external email services?

The biggest flaw of all is simply that DMARC only solves part of the problem. Even if universally adopted, criminals can find ways around using it a toolbox of tricks including hijacking or using legitimate domains (which pass authentication) to send emails mocked up to look genuine. Domain abuse isn’t the only game in town.

Nobody doubts wider DMARC adoption could make a difference. The question is whether the difference is seen by companies as worth the expense and hassle. Without wanting to sound pessimistic, it’s as if some companies have lost faith in security’s grand Utopias.