The Silly Case of Unenforced DMARC
If you have any kind of alarm in your home, like a smoke detector or burglar alarm, you probably don’t think about how it works very often. As it turns out, every alarm, to be effective, actually has to do two things: it has to sense something bad and then it has to take action. In most cases, that action is to blast a really loud signal. Loud enough to wake you up from a sound sleep
Now, imagine you had an alarm that only did one of those things. It sensed something bad and in response to that it did nothing. That wouldn’t be a very effective alarm. In fact, it would be useless, no matter how good the sensor was.
This situation sounds ridiculous. Afterall, nobody would install an alarm that sensed a problem and then did nothing in response. You might think that, but you’d be wrong. Companies and organizations do it every day. The alarm they install is called DMARC, and right after they install it, they turn it off.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps businesses protect their domains from being used to send phishing emails.
In an oversimplification, DMARC works like this. Companies sending emails set up one or both of two possible alarms called SPF and DKIM for establishing the authenticity of the emails they send. Then, if one of these alarms “goes off,” DMARC tells what to do in response to those alarms. With DMARC, there are three ways to respond to an alarm:
- Monitor
- Quarantine and
- Reject.
Monitor is a fancy way of saying “do nothing.” Reject, on the other hand, is the alarm actually doing what it’s intended to do: stop threatening emails from getting through.
You’ll never guess what percentage of these DMARC alarms are set to “reject”. According to the Agari Q4 2019 Email Fraud & Identity Deceptions Trends report, only 13% of Fortune 500 companies have done this. In other words, 87% of Fortune 500 companies have turned the alarm off. From the report, “Currently, only 13% of the Fortune 500 has a DMARC record set to the reject enforcement policy required to protect against phishing-based brand impersonation attacks targeting their customers, partners, and other organizations.”
Why is this important? Because “When enforcement policies are set properly, DMARC has been shown to drive phishing based impersonations to near zero.” Zero, with the alarm on.
Nobody understands fully yet why DMARC adoption is so low. But the consequence of it is fully understood. If you want to protect your company from phishing emails, and you should, you had better do something about it yourself.
The best thing you can do to protect your employees from being phished is to deploy cloud-based phishing protection software. Cloud-based phishing prevention software scans emails before they hit the inbox, which means it has the opportunity to keep malicious emails out of the inbox. And if phishing emails don’t make it into the inbox, employees can’t be fooled by them.
Cloud-based phishing protection software like that from DuoCircle requires no hardware, software or maintenance. It sets up in 10 minutes, comes with 24/7 live technical support and costs only pennies per month per employee.
Until companies start turning on their DMARC alarms, you’ll have to protect yourself from phishing attacks. Stop waiting on others to keep you safe. Try DuoCircle risk free for 30 days.