Page 42 - Cyber Defense eMagazine - November 2017
P. 42
SURVEYING ANTI-PHISHING STANDARDS – PART 2
by Marc Laliberte, Information Security Threat Analyst, WatchGuard Technologies
In our last article, we looked at three different technology standards that combat spam and
phishing attacks. If you haven’t read the first installment of this two-part series yet, check it out
now to familiarize yourself with some important terms we’ll use while exploring why these anti-
phishing standards aren’t more widely used today.
Sender Policy Framework (SPF) was an open standard created to prevent sender address
forgery in email envelope MAIL FROM headers. At around the same time, DomainKeys
Identified Mail (DKIM) was developed to authenticate approved mail servers for a domain.
Finally, Domain-based Message Authentication, Reporting and Conformance (DMARC) was a
solution crafted to tie SPF and DKIM together with added reporting functionality. All three of
these technologies are great at helping to stop common forms of phishing. So, why haven’t they
reached 100 percent adoption?
As it turns out, SPF and DKIM adoption are actually doing quite well with email senders.
According to a 2016 report by Google, 95 percent of non-spam emails received by Gmail users
came from senders with SPF records, and nearly 88 percent of non-spam emails employed
DKIM signing. DMARC, however, is still struggling to take off. A Federal Trade Commission
report earlier this year found that only a third of surveyed companies have published DMARC
records and less than 10 percent of that group have configured their DMARC records to reject
unauthenticated messages.
The good news is that DMARC adoption has been seeing modest improvements. According to
the Online Trust Alliance (OTA), adoption for both DMARC record and rejection/quarantine
grown over the past year (from 27.4 percent to 34.3 percent and from 5.8 percent to 14.6
percent, respectively), and that the Internet Retailer and Consumer categories were the lead
adopters for both. Unfortunately, organizations in the Federal and ISP categories were the
laggards for records adoption, and banks and federal groups were dragging their feet in
rejection/quarantine adoption.
So, while there have been humble increases in DMARC adoption, the rates are still low;
especially with compliance enforcement enabled. Why might this be? For one thing, it’s
common for businesses to start with a DMARC solution configured with a “none” policy while
testing, which means they don’t want recipient email servers to take any action against non-
compliant messages. Businesses might choose to do this if they use third-party mailer services
to send newsletters, since DMARC can cause these messages to be denied if misconfigured.
It’s certainly important to test policy changes in phases instead of diving right in at the risk of
breaking something critical, like your company’s ability to send email.
42 Cyber Defense eMagazine – November 2017 Edition
Copyright © 2017, Cyber Defense Magazine, All rights reserved worldwide.