Most email authentication implementations fail
Most of the world’s largest businesses fail at attempts to use open industry standards to control which email is sent using their names. Three quarters of large businesses attempting implementation of the DMARC email authentication standard are not presently capable of using it to block unauthorized email, to the detriment of their own security, compliance, and brand protection.
ValiMail performed a wide-ranging examination of email authentication policies for more than one million business domain names, including those for the S&P 500, Fortune 1000, NASDAQ 100, and FTSE 100. These policies are published using a specific syntax in DNS records so that receiving mailboxes can determine which messages are authorized and which are not.
“Our investigation showed that using email authentication to monitor and control unauthorized email is extremely difficult for the majority of global companies,” said ValiMail CEO Alexander García-Tobar. “You might expect larger businesses with more resources to do a better job of governing the email going out under their names, but we found that most of them still miss the mark.”
The study revealed that large enterprises are considerably more likely to attempt email authentication but that their success rate at managing and enforcing these complex open standards is nearly identical to far smaller, less-capitalized companies.
Email authentication is a foundational element in controlling how a company’s identity is used online and protecting it from misuse. Problems stemming from unauthorized email include shadow IT services inside the enterprise, brand damage from phishing, and the advanced attacks responsible for the vast majority of today’s major security breaches.
Study highlights include:
- Among companies attempting to implement email authentication, nearly 75% have not gotten all the way to enforcement.
- The percentage of sites attempting email authentication varies directly with size. The NASDAQ 100 lead the way with 43% attempting authentication. Smaller companies are decreasingly likely to do so.
- However, the likelihood of failure is remarkably consistent across all measured groups, regardless of size. The failure rate ranges from 62% to 80%, with most indexes clustering right around 75%.
ValiMail analyzed the Domain Name System (DNS) records for every company in the Alexa 1 Million, the Fortune 1000, the Nasdaq 100, the S&P 500, and the UK’s FTSE 100. By examining the record in DNS for each domain regarding DMARC, ValiMail was able to determine which businesses actively authenticated emails attempting to use their domain names.
Researchers further determined which companies were performing this authentication correctly and which had failed to protect their domains. If a company fails at DMARC authentication, then unauthorized parties can use its domain names in email with impunity. That might be employees improperly sending email from cloud services or phishing attacks that can easily lead to data breaches.
“These results illustrate the difficulty in implementing email authentication correctly,” said García-Tobar. “Though the DMARC, SPF, and DKIM standards that enable email authentication are highly effective when done right, they’re poorly understood, counterintuitive, and syntactically exacting. That leaves industry with the very high failure rate measured in our research.”