DMARC’s job of demarcating: How well is it doing?

In the drive to keep the onslaught of fake e-mail communications under control, DMARC’s checks on incoming e-mail is an important weapon in the Internet police’s bag of tricks.  A core weapon of cyber felons is impersonation, which is what catches most unwitting recipients unawares.

So … how is DMARC doing?

Let’s give it a solid C or C+.

DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is a procedure that checks on the veracity of the senders of e-mail. Nearly 80% of all inboxes – that’s almost 5.5 billion – conduct DMARC checks, and nearly 750,000 domains apply DMARC as well.

Ideally, DMARC is designed to satisfy the following requirements to ensure as few suspicious e-mails as possible make it to the inbox:

  • Minimize false positives
  • Provide robust authentication reporting
  • Assert sender policy at receivers
  • Reduce successful phishing delivery
  • Work at Internet scale
  • Minimize complexity

But the performance picture is actually rather muddy.

According to a new study by cyber-security firm Valimail, people are being served nearly 3.5 billion suspicious e-mails each day. That’s because DMARC’s success rate of ferreting out and quarantining the faux stuff runs only around 20%.  And while America has much better DMARC performance than other countries, the Unites States still accounts for nearly 40% of all suspicious e-mail that makes it through to inboxes due to the shear volume of e-mails involved.

In developing its findings, Valimail analyzed data from billions of authentication requests and nearly 20 million publicly accessible DMARC and SPF (Sender Policy Framework) records.  The Valimail findings also reveal that there’s a pretty big divergence in DMARC usage based on the type of entity. DMARC usage is highest within the U.S. federal government and large technology companies, where it exceeds 20% of penetration.  By contrast, it’s much lower in other commercial segments.

The commercial sector’s situation is mirrored in a survey of ~1,000 e-mail security and white-collar professionals conducted by GreatHorn, a cloud-native communication security platform, which found that nearly one in four respondents receive phishing or other malicious e-mails daily, and an additional ~25% receive them weekly.  These include impersonations, payload attacks, business services spoofing, wire transfer requests, W2 requests and attempts at credential theft.

The GreatHorn study contains this eyebrow-raising finding as well:  ~22% of the businesses surveyed have suffered a breach caused by malicious e-mail in the last quarter alone.  The report concludes:

“There is an alarming sense of complacency at enterprises at the same time that cybercriminals have increased the volume and sophistication of their e-mail attacks.”

Interestingly, in its study Valimail finds that the government has the highest DMARC enforcement success rate, followed by U.S. technology and healthcare firms (but those two sectors lag significantly behind). It may be one of the few examples we have of government performance outstripping private practitioners.

Either way, much work remains to be done in order to reduce faux e-mail significantly more.  We’ll have to see how things improve in the coming months and years.

Tripping the E-Mail Spam Alarm

Today, it’s more than just the “usual suspect” keywords that are landing e-mails in the junk folder.

se-mMost of us are aware of the kinds of words that trip spam alarms and cause e-mails to be sent straight to the junk folder – or not to be delivered at all.

How about these for starters:

  • Cash
  • Congratulations
  • Discount
  • Free
  • Income
  • Make Money
  • Urgent
  • Viagra
  • $$ / $$$

But research done by MailJet, an international e-mail service provider, looked at more than 14 billion e-mail communiqués and found that a bunch of other keywords are setting off alarm bells nearly as often as terms like “Urgent” or “Viagra.”

… Especially when considering the business categories that are so active in e-mail communications — retail goods, pharmaceuticals, providers of personal services, and the like.

Some of the other terms MailJet has found to be nearly as “toxic” are these:

  • bdcstDear Friend
  • FedEx
  • Increase Sales
  • Increase Traffic
  • Internet Marketing
  • Invoice
  • Lead Generation
  • Lose Weight
  • Marketing Solutions
  • Online Degree
  • Online Pharmacy
  • Order
  • PayPal
  • Search Engine Optimization
  • Sign Up
  • Trial Offer
  • Visa/Mastercard
  • Winning

… And there are more, of course – including various permutations of the words and phrases above.

The inevitable conclusion:  It’s becoming more difficult all the time to use the most common phrases in “subject” lines and “from” lines that’ll land your e-mail in someone’s inbox successfully.

And getting into the inbox just the first step, of course.  The next is motivating the recipient to actually open your e-mail and engage with it, which are additional hurdles in themselves.

What words or phrases have you found to be surprisingly problematic in getting your e-mails delivered to your customers’ inboxes?  How have you dealt with it?  Please share your experiences with other readers here.