San Francisco, California – February 18, 2015 – Since it was introduced to the public in 2012, the Domain-based Message Authentication, Reporting, & Conformance (DMARC) specification has proven its value in combating fraudulent email. Email is an essential channel of communication but to be effective, the recipient must trust that it comes from the identified sender. Combating fraudulent email requires coordination among senders, receivers, and security professionals. Working together, they have created an effective defense that helps authenticate email as being legitimate. Leading companies such as Amazon, AOL, Apple, Comcast, Facebook, Fidelity, Google, Groupon, JPMorgan Chase, Microsoft, PayPal, Twitter, and Yahoo rely on DMARC to verify the authenticity of email, while also gaining unprecedented visibility into their email flows.
DMARC: By the Numbers
“In less than three years, the DMARC standard has reshaped the email fraud landscape, disrupted longstanding phishing strategies, and forced cybercriminals to abandon preferred targets,” according to George Bilbrey, President of Return Path.
To illustrate this success, the DMARC.org collaborators have compiled the following statistics:
- 35% of messages received by large mailbox providers are from domains protected by DMARC
- 50% increase in sending domains publishing DMARC records over the course of 2014
- 200% increase in messages protected by a DMARC “reject” policy over the course of 2014
- 6 times as many sources sending DMARC reports over the course of 2014.
- 7 of the top 10 US FDIC banks protect their primary domain with DMARC.
DMARC: A Stable Protocol with Broad Adoption and Vendor Support
Email professionals have known for years that authentication helps to protect their customers, but with DMARC they finally have actionable information about email that uses and abuses their domains. Part of the reporting offered by DMARC includes visibility into legitimate email that fails to authenticate, enabling them to take corrective action. Receivers are also able to improve their email filtering systems to take advantage of the technology.
“We’re rapidly moving toward a world where all email is authenticated. Large inbox providers, like Google, track the reputation of all sending domains, and factor that in when deciding whether and how to deliver messages,” according to Google Product Manager John Rae-Grant. “Implementing a DMARC policy ensures that a sender’s reputation doesn’t drop due to the actions of spammers. With Gmail, we see a dramatic drop-off in spoofed mail whenever a domain implements a reject or quarantine DMARC policy, and a corresponding stability in the domain’s reputation. If your domain doesn’t protect itself with DMARC, you will be increasingly likely to see your messages sent directly to a spam folder or even rejected.”
Three years after its public release, DMARC is a stable protocol that is widely adopted. In 2014, many vendors introduced DMARC filtering and reporting into their products, supporting both senders and receivers. With the latest software and appliances from companies like Alt-N, Cisco, and Dell providing DMARC support, on-premise email flows are increasingly protected. Cloud-based companies such as Cloudmark, Halon Security, Office 365, and Symantec also offer DMARC solutions so that organizations of all sizes have options to significantly improve their email protection.
“Over 400 million Microsoft users worldwide, both consumer and enterprise, are realizing the benefits of authentication technologies like DMARC,” said Rudra Mitra, Partner Director of Program Management Office 365, Microsoft Corporation. “As email threats and spear phishing grow, every business should make email authentication a priority to help protect their consumers, their employees, and their brands. DMARC is an important step forward in that direction.”
“Effective use of DMARC has rapidly been adopted as the way that trusted brands keep their customers safe,” said Kevin Kennedy, VP of Product at Agari. “One customer recently stopped a large-scale CryptoLocker attack targeted to its customers just weeks after implementing a DMARC reject policy. Millions of messages stopped dead, a disaster for the brand and its customers averted.”
DMARC: Government and Industry Best Practices
In June 2014 the German Office for Information Security (BSI), the federal agency in charge of computer security for the German government, published a report titled, “E-mail Security Recommendations for Internet Service Providers“. In this report the BSI stated that DMARC is one of the recommended “methods of email authentication to verify that a message actually came from the identified sender.”
Also in 2014, the UK’s HM Revenue & Customs department (HMRC) announced that they would undertake an aggressive campaign to reduce malicious email victimizing UK taxpayers by impersonating their organization. DMARC is integral to the dramatic results they have achieved, allowing for close monitoring of mail flows using their active and defensively registered domains.
“Simply put, the DMARC standard works,” said Edward Tucker, Head of Cyber Security for HMRC. “In a blended approach to fight email fraud, DMARC represents the cornerstone of technical controls that commercial senders can implement today to rebuild trust and retake the email channel for legitimate brands and consumers.”
In sectors especially hard-hit by email fraud, like banking and insurance, DMARC is quickly moving beyond a recommendation and becoming a requirement.
“Email authentication, and DMARC in particular, have demonstrated so much success in reducing phishing that the new financial services domains .BANK and .INSURANCE launching later this year will be the first of their kind to require these email controls from day one,” said Andrew Kennedy, Senior Program Manager at BITS, the technology policy division of the Financial Services Roundtable (FSR).
DMARC: Protecting Employees and Companies
Looking beyond customer protection, companies are turning to DMARC as an additional defense against attacks targeting their employees. Such attacks, known as spear phishing, are insidious attempts to trick employees into revealing sensitive information. Companies that fully authenticate their email can apply DMARC to incoming email, rejecting unauthenticated messages, lowering the risk of spear phishing.
“Spoofed email attacks aren’t just a theoretical problem, but something that any organization should take very seriously,” said Dave Piscitello, ICANN VP Of Security And ICT Coordinator. “In 2014, ICANN employees were the unfortunate target of a spear phishing attack that resulted in access credentials being stolen. After analyzing the attack email, it’s clear that DMARC would have stopped the malicious email from reaching the employee’s mailbox. Now that we have published a DMARC record, we are much more secure than before and highly suggest other organizations follow suit before becoming a victim themselves.”
This kind of phishing has been identified as the likely attack vector in at least five of the most notable breaches reported in the media over the past 18 months: the Target breach of late 2013, the US Nuclear Regulatory Commission in mid-2014, the German Steel Mill in December 2014, the ICANN breach of December 2014 referenced above, and the Anthem breach announced in early February 2015.
“[DMARC] allows organizations to accelerate deployment across all of their mail streams – including the use of inbound checks – to help curb the threats to their customers and employees,” said Craig Spiezle, Executive Director and CEO of the Online Trust Alliance. “Companies owe it to their customers, employees and stock holders to adopt today.”
DMARC: Transparent to the End User
All of this protection is transparent for customers and employees as email is authenticated between the servers themselves. End users have enough to think about, and wondering if an email in their inbox is legitimate shouldn’t be one of them. When using a mailbox provider that supports DMARC, a user can rely on fraudulent email being handled according to the sender’s DMARC policy. As more mailbox providers support DMARC around the world, protection continues to expand.
“One of the reasons that DMARC has been successful is that end users don’t need to do anything,” said J. Trent Adams, Sr. Internet Security Advisor at PayPal and Chair of DMARC.org. “When email is fully authenticated and verified, our customers are simply protected from spoofed email being delivered to their inboxes.”
DMARC.org (Domain-based Message Authentication, Reporting and Conformance) is an unincorporated working group made up of many of the world’s leading email providers (AOL, Comcast, Google, NetEase, Outlook.com, Yahoo Mail), financial institutions and service providers (Bank of America, Fidelity Investments, JPMorgan Chase & Co., PayPal), social media properties (American Greetings, Facebook, LinkedIn) and email security solutions providers (Agari, Cloudmark, Return Path, Trusted Domain Project). The group is dedicated to reducing the threat of email phishing and to improve coordination between email providers and mail sender domain owners.