92% of brands fail email security test
The Online Trust Alliance (OTA), the non-profit with the mission to enhance online trust and empower users, announced the results of its 2014 Email Integrity Audit report, including its Email Trust Scorecard. Out of nearly 800 top consumer websites evaluated, OTA found only 8.3 percent of consumer facing web sites passed and thus 91.7 percent failed.
The overwhelming majority of businesses and government agencies are not following adequate steps to help ensure consumers and business partners can discern if emails coming from their domain are genuine or forged. The Scorecard measures the adoption of three critical email security protocols: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).
“When organizations implement specific email security protocols, the results are increased consumer protection from receiving malicious and fraudulent email, strengthened brand reputation, and enhanced deliverability of legitimate email,” said OTA Executive Director and President Craig Spiezle. “Despite the obvious benefits, the majority of organizations have yet to adopt practices comprehensively,
putting consumers and their brands at risk.”
The scorecard found emails purportedly to be from social media companies to be most trustworthy and federal agencies to be least, with all sectors failing significantly to adopt email security best practices. Specifically, the percentage of companies passing the OTA Email Trust Scorecard broke down as follows:
- 28 percent of the top 50 social media companies
- 17 percent of the top 100 financial services companies
- 14 percent of the top 100 Internet retail companies
- 6 percent of the top 50 news companies
- 6 percent of the top 500 Internet retailers
- 4 percent of the top 50 U.S. government agencies.
By utilizing email authentication, organizations can help protect their brands and consumers from receiving forged email. Both DKIM and SPF are email authentication protocols designed to detect email spoofing by providing a mechanism to allow receiving mail servers to confirm the authenticity of the email.
Building on SPF and DKIM protocols, DMARC adds a policy assertion providing receiving networks (ISPs and corporate networks) direction on how to handle messages that may fail authentication. Equally as important, DMARC provides a reporting mechanism back to the brand/domain owner.
“Over 400 million Microsoft users worldwide are realizing the benefits of SPF, DKIM and DMARC. As email threats and spear phishing grow, every business should make email authentication a priority to help protect their consumers, their employees and their brands,” said John Scarrow, General Manager Safety Services, Microsoft Corporation.