The Greatest Challenge that DMARC Adoption Faces is That Many Do Not Know That it Exists
It takes a communal effort to improve security. Technology standards are the foundation of secure and interoperable systems, but they are often overlooked and rarely get much fanfare. For example, it took years of public discourse before companies switched to secure HTTP. Once it happened, companies like Facebook and Twitter were praised for making the move to encrypt their traffic. Now it is expected for digital brands and Web services to offer HTTPS. DMARC is now reaching this terminal velocity.
DMARC, the Domain-based Message Authentication, Reporting & Conformance standard, is offered by email service providers to prevent phishing and spam related to domain name spoofing, while simultaneously providing greater visibility into email ecosystems.
In October 2017, the Department of Homeland Security (DHS) issued the Binding Operational Directive 18-01, which required all federal agencies to implement DMARC within 90 days. Subsequently, the National Health Information Sharing and Analysis Center (NH-ISAC) called upon its members to pledge they would implement DMARC in 2018.
DMARC addresses spoofed emails. An analogy of email spoofing is a criminal sending consumers real-looking credit card statements in the same type of envelopes the credit card companies use — with the important difference that there is absolutely no cost associated with spoofing an email.
DMARC is an email authentication standard designed to eliminate phishing and other types of attack that use spoofing to misrepresent an email sender identity. DMARC emerged from a pilot program between PayPal and Yahoo! Before DMARC, there were already two email authentication standards, “Sender Policy Framework” (SPF) and “Domain Keys Identified Mail” (DKIM). SPF uses DNS to authenticate the envelope sender, but cannot authenticate the “From: header.” DKIM uses cryptographic keys to authenticate email.
DMARC combines both of these standards by verifying both the SPF information and the DKIM signature. Once deployed, DMARC can monitor, quarantine or reject email messages with spoofed domains, dramatically reducing phishing and spam sent appearing to come from an impersonated organization.
Email spoofing is the most common type of identity deception in volumetric and scattershot attacks, which includes traditional phishing attacks and spam. Identity deception can be used to impersonate unprotected brands for other reasons, such as distributing misinformation or email account takeover. The implication of these attacks can even impact national security.
Unfortunately, DMARC adoption has been slow in most sectors. Recent research reveals low adoption rates, showing that within the Fortune 500, 67 percent have not deployed DMARC. Within the US government, about 50 percent of agencies had not deployed DMARC ahead of the Department of Homeland Security Binding Operational Directive 18-01.
One hypothesis for this slow growth is a simple lack of awareness. Another factor may be that when DMARC was first introduced, phishing was a problem felt mainly by the financial industry, which did rapidly adopt it.
In contrast, no deployment tradition was ever established in many other sectors. In the recent years, as society as such has come to a rude awakening in terms of the understanding of its vulnerability to online attacks, many people have not yet seen the link between a vulnerability to spoofing and a risk to the organization and its members.
As organizations move to adopt DMARC, those left lagging will be the most obvious targets to attack. Perhaps the greatest challenge that DMARC adoption faces is that many do not know that it exists. In that regard, we can be grateful that the DHS has called upon the government to hasten its adoption. As a result, the NH-ISAC has called upon the healthcare industry to do the same. We may be hopeful that more organizations follow their direction.