DMARC’s job of demarcating: How well is it doing?

In the drive to keep the onslaught of fake e-mail communications under control, DMARC’s checks on incoming e-mail is an important weapon in the Internet police’s bag of tricks.  A core weapon of cyber felons is impersonation, which is what catches most unwitting recipients unawares.

So … how is DMARC doing?

Let’s give it a solid C or C+.

DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is a procedure that checks on the veracity of the senders of e-mail. Nearly 80% of all inboxes – that’s almost 5.5 billion – conduct DMARC checks, and nearly 750,000 domains apply DMARC as well.

Ideally, DMARC is designed to satisfy the following requirements to ensure as few suspicious e-mails as possible make it to the inbox:

  • Minimize false positives
  • Provide robust authentication reporting
  • Assert sender policy at receivers
  • Reduce successful phishing delivery
  • Work at Internet scale
  • Minimize complexity

But the performance picture is actually rather muddy.

According to a new study by cyber-security firm Valimail, people are being served nearly 3.5 billion suspicious e-mails each day. That’s because DMARC’s success rate of ferreting out and quarantining the faux stuff runs only around 20%.  And while America has much better DMARC performance than other countries, the Unites States still accounts for nearly 40% of all suspicious e-mail that makes it through to inboxes due to the shear volume of e-mails involved.

In developing its findings, Valimail analyzed data from billions of authentication requests and nearly 20 million publicly accessible DMARC and SPF (Sender Policy Framework) records.  The Valimail findings also reveal that there’s a pretty big divergence in DMARC usage based on the type of entity. DMARC usage is highest within the U.S. federal government and large technology companies, where it exceeds 20% of penetration.  By contrast, it’s much lower in other commercial segments.

The commercial sector’s situation is mirrored in a survey of ~1,000 e-mail security and white-collar professionals conducted by GreatHorn, a cloud-native communication security platform, which found that nearly one in four respondents receive phishing or other malicious e-mails daily, and an additional ~25% receive them weekly.  These include impersonations, payload attacks, business services spoofing, wire transfer requests, W2 requests and attempts at credential theft.

The GreatHorn study contains this eyebrow-raising finding as well:  ~22% of the businesses surveyed have suffered a breach caused by malicious e-mail in the last quarter alone.  The report concludes:

“There is an alarming sense of complacency at enterprises at the same time that cybercriminals have increased the volume and sophistication of their e-mail attacks.”

Interestingly, in its study Valimail finds that the government has the highest DMARC enforcement success rate, followed by U.S. technology and healthcare firms (but those two sectors lag significantly behind). It may be one of the few examples we have of government performance outstripping private practitioners.

Either way, much work remains to be done in order to reduce faux e-mail significantly more.  We’ll have to see how things improve in the coming months and years.

No End in Sight to the Challenge of Email Deliverability

When it comes to e-mail communications in the B-to-B world, yet another study is underscoring just how challenging it is to reach corporate inboxes.

A new report by cyber-security firm FireEye, Inc. reveals that fewer than one-third of e-mails sent are actually making it into corporate inboxes. The FireEye analysis was based on tracking more than a half-billion e-mails sent between January and June of 2018.

The majority of those e-mails were deemed to be spam or malicious in their intent. Nearly 60% were blocked by threat intelligence and around 10% more were halted by attack prevention tactics such as URL inspection and attachment detonation.

E-mails were deemed suspicious because they triggered one or more of the following “red-light” cautions:

  • Malware-less impersonations
  • Malware viruses
  • Phishing attacks
  • Ransomware
  • Spyware
  • Trojan horses
  • Worms

Interestingly however, it turns out that only a small fraction of the e-mails actually had malicious intent, meaning that the super-strict filters being employed by companies are capturing a huge number of perfectly legitimate e-mail messages in their dragnet and rejecting them out of hand.

On the other hand, the FireEye analysis also determined that impersonation attacks have undergone a shift from domain name spoofing to “friendly” domain name scams – ones in which an e-mail address is manipulated to impersonate a trusted source.

As the study cautions:

“This shift in tactics may be driven by how easily cyber criminals can ‘spoof’ the display name and username potion of an e-mail header. Instead of having to go through the process of buying and registering a domain similar to – or one that sounds like – the recipient’s domain, they can simply change the display/user name.”

The FireEye analysis is a reminder that because of its sheer pervasiveness, e-mail communications are also the most popular conduit for potentially significant cyberattacks. No wonder companies have their guard up.

The problem is, clearly a whole lot of wheat is being thrown out with the chaff.  And that makes e-communications hardly the slam-dunk communications tactic that many people assume it to be.

Sometimes “permission slips” aren’t enough when it comes to e-mail deliverability.

Bounced-emails-undelivered-emailsIn case you’ve been wondering how much marketing e-mail actually reaches its intended targets, a recently released benchmark report from e-mail scoring and certification services provider Return Path has some answers. It finds that only about 75% of “permissioned” e-mails are actually making their way through.

That means one in every four e-mails are either hitting a spam or junk folder, or are being blocked by ISP-level filtering.

The report was based on analysis of data from Return Path’s Mailbox Monitor service, which tracks the delivery, filtering and blocking rates for more than 600,000 e-mail campaigns.

Interestingly, the delivery stats for business-to-business marketing e-mail aren’t much lower than for business-to-consumer e-mail. This was considered somewhat surprising because of company-level filtering systems like Postini, MessageLabs and Symantec that are installed at many large corporations. Presumably, they do a more thorough job of filtering e-correspondence.

The Return Path report also included a few cautionary notes for marketers:

 Many e-mailers believe that whatever gets deployed and doesn’t bounce must be reaching inboxes. But senders are notified only when the e-mail is a hard bounce – not if it has ended up in a spam or junk folder.

 Relying on rented e-mail files in the B-to-B world can be dangerous, as those files can be riddled with spam traps. Commercial entities are always on the search for new prospects and leads … but merging a good in-house list with a few of these bad boy rental lists can result in compromising the entire database.

 In the consumer sector, many marketers aren’t paying close enough attention to inbox placement rates. For example, data about Gmail shows that while many marketers are ostensibly achieving a 90%+ deliverability rate, fewer than one in five of those emails are actually being directed to the “priority” inboxes within Gmail as designated by the recipients. And you can bet that precious few of the other ~80% are getting any sort of attention at all from consumers.

More details about the Return Path report can be found here – well-worth checking out.