2017 Email Fraud Landscape - ValiMail

2017 Email Fraud Landscape

Email Impersonation Is Rampant — One in Five Messages Cannot Be Trusted

180 Montgomery St., 18 th Floor San Francisco, CA 94104

[email protected] www.valimail.com

Table of Contents Executive Summary

1

Introduction: The Email Authentication Revolution

2

Email Authentication: The Big Picture

5

Category Reports NYSE

7

Large U.S. Banks

13

Companies listed on the New York Stock Exchange have higher than average rates of protection against email fraud.

Only 10 percent of big banks are protected from email impersonation. That’s higher than average, but still too low.

NASDAQ

Large U.S. Health Care Companies 14

8

NASDAQ-listed companies trail behind the NYSE when it comes to email fraud protection.

London Stock Exchange

Only 3.7 percent of big health care providers are protected from email impersonation. 9

U.K.-listed companies are significantly behind America, though when they do attempt DMARC, they do well.

NASDAQ Capital Market

10

Cybersecurity Companies

16

You might expect cybersecurity vendors to be ahead of the curve in email authentication. You’d be wrong. 11

Just 6 percent of the Fortune 500 is protected from email fraud, though the majority do use SPF.

Fortune Global 500

15

Big tech companies have a higher rate of success, but overall fraud protection is still below 10 percent.

Small-cap companies tend to have a lower rate of email authentication, unsurprisingly.

Fortune 500

Large U.S. Tech Companies

Crunchbase Unicorns

17

Startups with $1 billion valuations tend to do much better than average with email authentication. 12

Global giants have a somewhat higher success rate when they attempt email authentication.

DMARC Support Among Email Receivers

18

Conclusions

19

Definitions

19

Methodology

20

Endnotes

21


|

Executive Summary Email fraud is the leading weapon with which hackers infiltrate networks. It’s not just a social engineering problem: There are technical controls, known as email authentication, that can help mitigate the email fraud threat, but only a tiny percentage of domain owners are taking advantage of them. Email authentication refers to a suite of open standards that can stop the most common and hardest-to-detect type of email fraud: Impersonation of people or companies by using their domain names. Without email authentication, fraudsters can easily impersonate any domain simply by putting it into the From field of their messages. With email authentication, such fraudulent messages get blocked by email receivers worldwide. As a result, you can be sure that the apparent sender of a message was, in fact, authorized by the owner of the domain it appears to come from. Despite widespread support for email authentication on the receiving side, domain owners have been slow to adopt the technology. ValiMail’s analysis of the most popular 1 million global domains shows that most domain owners have not attempted to implement fraud protection through the latest and most complete form of protection, DMARC. Of those that have attempted DMARC, only 23 percent are actually achieving protection from fraud. ValiMail attributes these shortfalls in adoption to the difficulty that domain owners have in fully implementing and maintaining DMARC and its underlying standards (SPF, DKIM), particularly in complex environments where companies use many different cloud-based email services (often without full knowledge of IT staff).

Key Findings

One in five messages sent today is suspicious (i.e. it appears to come from a domain that has

not authorized the sender).

0.5% of the top million domains are protected from impersonation by email authentication.

77% of domains that have deployed DMARC records remain unprotected from fraud, either

through misconfiguration or by setting a permissive DMARC policy.

15-25% of companies that attempt DMARC succeed at achieving protection from fraud,

depending on category.

76% of the world’s email inboxes support DMARC and will enforce domain owners’ authentication

policies, if such policies exist.

Implementing email authentication would save the average company $8.1 million per year

in cybercrime costs — $16.2 billion annually across the Fortune 2000.

[email protected]

www.valimail.com

1

2 | 2017 Email Fraud Landscape

Introduction: The Email Authentication Revolution Email is the Internet’s killer app, used by more than 3.7 billion people.1 That’s half of the humans on the planet, and it’s more than any social network, chat app, or collaboration tool. (Only the phone network reaches more humans.) Email remains a critical communications tool for billions of people and millions of businesses. But when it was invented, only a few dozen researchers who knew and trusted each other used email. As a result, security was never built into the standards defining how email works on the internet. Fast forward to today: The world sends 270 billion emails every single day. Meanwhile, email has suffered from constant phishing, malware, and impersonation attacks. This openness to attack is email’s “original sin.” And it’s getting worse: Many observers have seen record levels of phishing this year. 2 Yet email is now undergoing a fundamental, revolutionary transformation that will make it even more indispensable, secure, and trustable than ever. That transformation is the arrival of authentication.

What Is Email Authentication? Email authentication is a technology used to ensure that only senders who are approved by the owner of a domain can send messages as that domain. With authentication, if you get a message from “[email protected]” you can be certain that it was sent by batman.com — or by a sender authorized by the owner of that domain. Email authentication complements other forms of email security, such as spam filters and secure email gateways (SEGs), by providing a global, DNS-based way for domain owners to protect the use of their domain names, and, by extension, their brands. On the receiving side, it provides a valuable signal to receiving mail servers about the identity of the sender — which can curtail the most pernicious and most common types of phishing (those based on impersonating a known sender by faking their email address).3 Modern email authentication uses a trio of standards: SPF, DKIM, and DMARC. The first two have been in use since the mid-2000s, while DMARC dates from 2012. DMARC ties together the other two and adds three critical additional features:

It ensures that the domain name(s) authenticated by SPF and DKIM match the domain name

shown in the From field of the message.

It enables domain owners to set policies that direct email receivers how to handle messages

that fail authentication tests.

It provides a mechanism for sending data from receiving servers back to domain owners,

so they can tell which IP addresses are sending messages on their behalf and whether those

messages are being delivered or not.

[email protected]

www.valimail.com


|

DMARC usage by both domain owners (senders) and email receivers (ISPs and webmail providers) is growing rapidly. A recent directive from the U.S. Department of Homeland Security (DHS) is likely to spur further growth, since it mandates that all U.S. federal agencies deploy DMARC records by January, 2018, and set them to an enforcement policy by October, 2018.4 On the receiving side, 76 percent of the world’s email inboxes are now covered by DMARC, meaning they will authenticate email and enforce domain owners’ policies, if the domain owners have published a DMARC record.5 On the domain owner side, DMARC usage is still relatively small, although it is growing exponentially.6

1 in 5 Emails Is Suspicious Phishing is the primary vector, bar none, through which hackers gain access to computer systems. Phishing emails are implicated in 90 to 95 percent of cyberattacks, according to multiple sources.7 Among phishing attacks, the most common, most dangerous, and hardest to detect are those that impersonate the email identity of a known and trusted sender, accounting for between 56 and 62 percent of all business email compromise attacks, according to Proofpoint, and 37.5 percent of all inbound email threats, according to GreatHorn. 8 These “same-domain” phish often use the actual email address of a trusted company, such as a bank, government agency, or service provider, targeting recipients who do business with (or work for) that company. In every case, the goal is to trick the recipient into disclosing information, clicking on a malicious link, or downloading malware. For this report, ValiMail examined more than 127,000 DMARC aggregate reports for 12 domains (a subset of the domains we process for our customers) during the month of October. Out of more than 2.8 billion email messages we processed for this set of domains, 526 million failed DMARC authentication. Of those, we categorized virtually all as suspicious: possibly fraudulent messages from senders not authorized by the domain owners. That means almost 1 out of every 5 emails failed authentication — in other words, was potentially fraudulent. Note that the rate of suspicious emails normally varies between 1 percent and 95 percent from domain to domain and from month to month, as phishing campaigns come and go.

Email Authentication Rate 2,764 Million Messages

2,238 Million

527 Million

80.9% Passing DMARC

19.1% Suspicious

(Messages Processed by ValiMail in October, 2017)

[email protected]

www.valimail.com

3


Issues Slowing Adoption of Authenticated Email One issue slowing the adoption of email authentication is the perceived difficulty and complexity of implementing DMARC. Also, setting DMARC to a policy of enforcement (which directs mail receivers to delete or mark as spam any messages failing authentication) runs the risk of false positives. Messages that should have been marked as authenticated could be rejected if the underlying SPF or DKIM records aren’t configured to whitelist their senders. This is particularly tricky in today’s cloud-centric environment, when companies utilize dozens of different cloud services, many of which send email on their behalf. Companies configuring email authentication need to make sure they know all the legitimate services that send email on their behalf, and ensure that they are authorized. As a result, IT departments get mired down in trying to create correct DMARC, SPF, and DKIM records. They often gain partial visibility into their email problem, but fail to protect themselves from email impersonators. ValiMail has found that among the top million domains, 96.4 percent still have not published DMARC records — despite the fact that the overwhelming majority of email inboxes support it. These domains are not using a valuable, accessible tool for protecting themselves against fraud and phishing. This is the DMARC adoption gap. Furthermore, 77 percent of domains that do publish a DMARC record do not get to enforcement — a rate comparable to what we found when we first analyzed the top million domains in November 2016.9 They leave their DMARC policies in a monitoring-only mode, and thus fail to actually lock down their email domains to stop impersonation attacks and protect their brands. This is the DMARC enforcement gap. Closing these gaps will be key to the transformation of the email ecosystem. We already have a critical mass of email receivers that will implement and enforce DMARC policies if domain owners publish one. According to Great Horn, companies that publish and enforce DMARC see a 77 percent reduction in email threats.10 Once we reach a critical mass of domain owners, email will move from being unauthenticated by default to being authenticated by default. Widespread use of email authentication will enable receivers to reject (or quarantine to spam folders) all email that lacks authentication. The internet will then achieve herd immunity from email impersonation — and people will be able to place renewed confidence in the contents of their inboxes. Eliminating email impersonation threats could save the average company $8.1 million annually, based on Great Horn’s estimate of DMARC effectiveness and Accenture’s analysis of average annual cybercrime costs.11 Across the Fortune 2000, that would amount to an annual savings of $16.2 billion.

[email protected]

www.valimail.com


Email Authentication: The Big Picture

|

Majestic Million

ValiMail analyzed the DMARC and SPF status of the one million Fraud Protection Rate

most popular domain names, as compiled by Majestic.12 We also narrowed down the “Majestic Million” into two subsets: The Majestic

0.5%

100,000 and the Majestic 10,000, representing the top 10% and top 1% of domains, respectively.

DMARC Success Rate

13.3%

Majestic Million, 100K, 10K: DMARC Enforcement No DMARC

100%

Valid DMARC, not enforced

Invalid DMARC

964,173

Protected by DMARC

91,927

90%

8,103

80% 70% 60% 50% 40% 30% 20% 10%

1,091 13,850 17,216

0%

4,759

2,588

4,072

1,411

308

100K

1M

498

10K

Majestic Million, 100K, 10K: SPF Effectiveness No SPF

Invalid SPF

Valid SPF

100% 90% 80% 70% 60%

5,923

554,293 47,645

50%

43,721

372,698

40%

2,955

30% 20% 10% 0%

73,007

1M

1,122

8,632

100K

10K

[email protected]

www.valimail.com

5


In the widest set of domain names, the Majestic Million, only 0.5 percent of domains are protected by DMARC at enforcement. This is similar to the 0.6 percent DMARC enforcement rate we found among the Alexa 1 million in our 2016 study, but the numbers aren’t directly comparable because these are different lists. (The Alexa 1 Million list is no longer available.) Another 1.7 percent of the Majestic Million have published valid DMARC records but have left them in a monitoring-only mode, not enforcing authentication, which leaves them open to impersonation. And 1.4 percent have published DMARC records that are invalid in some way: The record doesn’t parse correctly, it specifies an invalid recipient for DMARC aggregate reports, or it contains other fatal errors preventing enforcement. This too leaves the domains vulnerable to impersonation. Of the domains that have published DMARC records, 86.7 percent fail to get to enforcement, either through errors or by remaining at a non-enforced policy. In other words, just 13.3 percent of domains attempting DMARC succeed at getting to enforcement. Of the million top domains, 96.4 percent have not published a DMARC record at all. On the other hand, the fact that 3.6 percent have attempted DMARC is an improvement over the 2016 figures, when we found just 2.3 percent of the Alexa 1 Million had attempted DMARC authentication. The picture is better when it comes to SPF records, although here, too, the industry has a long way to go to complete coverage: About 45 percent of the Majestic Million have published SPF records, and 37.3 percent of the overall total have valid SPF records. Looking at the top 100,000 domains within the Majestic Million, the picture improves (as you’d expect with more popular domains, since they are likely to be run by larger, older, or more sophisticated companies). Of the Majestic 100k, 1.4 percent are at DMARC enforcement, and the DMARC failure rate drops to 82.5 percent. In the Majestic 10k (the top 1% of all domains), 5 percent of domains are at DMARC enforcement (compared with 5.3 percent of the Alexa 1 Million in 2016), while the failure rate drops to 73.7 percent. SPF records are more ubiquitous in these smaller sets as well, although the rate of invalid SPF records remains high — an indication of how tricky it is to get SPF right. In the Majestic 100k, 43.7 percent have valid SPF records, and in the Majestic 10k, 59.2 percent do.

Majestic List

Inserted DMARC

DMARC At Enforcement

Success Rate

Overall Enforcement

1M

35,825

4,759

13.3%

0.5%

100K

8,071

1,411

17.5%

1.4%

10K

1,897

498

26.3%

5.0%

[email protected]

www.valimail.com


NYSE

|

NYSE

We examined the primary domains of 1,389 companies listed on the DMARC Success Rate

Fraud Protection Rate

New York Stock Exchange, using a list compiled by Dun & Bradstreet. What we found was a substantially higher rate of protection against

3.7%

email fraud (3.7 percent) than the average, as well as a higher rate of success in achieving fraud protection among those domains that

19.1%

have deployed DMARC (19.1 percent).

NYSE: DMARC Enforcement Protected by DMARC

3.7% (51)


13.8% (192)

No DMARC

TOTAL DOMAINS

Invalid DMARC

80.8% (1,122)

1,389

1.7% (24)

This is an unsurprising result, given that the Majestic lists include thousands of domains run by smaller, less technologically-sophisticated domain owners (including nonprofits, small blogs, etc.), whereas the NYSE domains are all owned by publicly traded companies. With listing on the NYSE comes some technological savvy, it appears. However, the overall rate of email fraud protection among the NYSE remains low. To put it another way, 96.3 percent of NYSE companies can easily be impersonated by fraudsters using their domains in email messages. SPF usage in the NYSE is much higher: 76.4 percent of these domains have published SPF records, and the majority are valid records; as a result, 62.6 percent of NYSE companies have valid SPF records.

NYSE: SPF Effectiveness No SPF

23.6% Valid SPF

62.6%

TOTAL DOMAINS

1,389

Invalid SPF

13.8%

[email protected]

www.valimail.com

7


NASDAQ

NASDAQ

The NASDAQ has long cultivated a reputation as the marketplace Fraud Protection Rate

2.4%

DMARC Success Rate

for nimbler, more tech-savvy companies. But when it comes to email authentication, NASDAQ lags the NYSE. We examined the primary

16.9%

domains for 1,689 NASDAQ-listed companies and found that just 2.4 percent are protected by valid DMARC records with enforcement policies, which is 1.3 percentage points lower than the NYSE rate.

NASDAQ: DMARC Enforcement Protected by DMARC

2.4% (41)


8.8% (149)

Invalid DMARC

No DMARC

85.7% (1,447)

TOTAL DOMAINS

3.1% (52)

1,689

Also, NASDAQ companies that attempt DMARC have a lower success rate in achieving enforcement than the NYSE, with 16.9 percent succeeding in the NASDAQ. For SPF, 61.4 percent have valid records, while 24 percent have no SPF defined, with the remainder having published invalid SPF records. This is nearly identical to the rate among NYSE companies.

NASDAQ: SPF Effectiveness No SPF

24.0% Valid SPF

61.4%

TOTAL DOMAINS

1,689

Invalid SPF

14.6%

[email protected]

www.valimail.com


London Stock Exchange

|

LSE

ValiMail examined the primary domains for 1,682 companies listed DMARC Success Rate


on the London Stock Exchange. We found that these U.K.-listed companies are significantly behind their cousins on the American

2.3%

stock exchanges, with only 2.3 percent of the total number protected by valid DMARC records with enforcement policies.

26.0%

London Stock Exchange: DMARC Enforcement

Protected by DMARC

2.3% (38)

No DMARC


4.9% (82)

91.3% (1,536)

TOTAL DOMAINS

1,682

Invalid DMARC

1.5% (26)

The low overall rate is due to the fact that a relatively small proportion of these companies have attempted DMARC at all. In fact, among LSE-listed companies that have published DMARC records, there is a somewhat higher than average success rate at getting to enforcement: 26 percent, or 7 percentage points higher than the NYSE and 9 points higher than the NASDAQ. LSE companies are also behind the curve in adopting SPF: 37 percent have not published SPF records at all, and just 54.4 percent have valid SPF records.

London Stock Exchange: SPF Effectiveness No SPF

37.0%

Valid SPF

54.4%

TOTAL DOMAINS

1,682

Invalid SPF

8.6%

[email protected]

www.valimail.com

9


NASDAQ Capital Market

NASDAQ Capital Market Fraud Protection Rate

0.9%

The NASDAQ Capital Market is a basket of small-cap companies. We analyzed the primary domains for these 650 companies.

DMARC Success Rate

Unsurprisingly, since these companies are smaller and have fewer

14.3%

resources, we found this category had a very low rate of email authentication.

NASDAQ Capital Markets: DMARC Enforcement Protected by DMARC

0.9% (6)


3.8% (25)

No DMARC

93.5% (608)

TOTAL DOMAINS

650

Invalid DMARC

1.7% (11)

Just 0.9% of small-cap companies are protected from fraud through DMARC, the lowest level of protection of any category we studied. Small-cap companies also have the lowest rate of success in DMARC deployment, with only 14.3% of those that have published DMARC records achieving protection from impersonation. This group, like most, is doing better when it comes to SPF usage: Nearly 60 percent of these companies have published valid SPF records.

NASDAQ Capital Markets: SPF Effectiveness No SPF

27.4% Valid SPF

59.7%

TOTAL DOMAINS

650

Invalid SPF

12.9%

[email protected]

www.valimail.com


Fortune 500

|

F500

Among Fortune 500 companies, just 6 percent of the companies Fraud Protection Rate

have protected their domains with a valid DMARC record set to a policy of enforcement (which deletes messages that fail

6.0%

authentication or directs them to spam folders).

DMARC Success Rate

17.6%

Fortune 500: DMARC Enforcement Protected by DMARC

6.0% (30)


25.5% (127)

No DMARC

65.9% (329)

TOTAL DOMAINS

499

Invalid DMARC

2.6% (13)

Somewhat surprisingly for such large and well-capitalized companies, the F500 has a low rate of success in implementing DMARC: Just 17.6 percent of companies that attempt it have achieved enforcement. This may be due to the unusual complexity of F500 IT environments, where many different subsidiaries, geographies, and departments have adopted cloud services that send email on the company’s behalf. The picture may be even more grim when taking into account the full complement of F500 companies’ domains, since most of these companies own (and use) more than one domain. However, that’s an analysis that will have to wait for a more complete list of F500 domains.

Fortune 500: SPF Effectiveness No SPF

19.6% Valid SPF

66.3%

TOTAL DOMAINS

499

Invalid SPF

14.0%

[email protected]

www.valimail.com

11


Fortune Global 500

FG500 Fraud Protection Rate

6.0%

The Fortune Global 500, also published by Fortune, is a list of the largest companies worldwide (by revenues). Its rate of

DMARC Success Rate

protection from fraud is identical to that of the F500, at 6 percent,

22.7%

although these companies have a somewhat higher success rate of 22.7 percent when they do attempt authentication.

Fortune Global 500: DMARC Enforcement Protected by DMARC

6.0% (30)


18.6% (93) Invalid DMARC

1.8% (9)

No DMARC

73.6% (368)

TOTAL DOMAINS

499

The FG500 contains many European and Chinese companies, and it may be that adoption of DMARC by domain owners trails behind the U.S. in these regions. ValiMail has observed that ISPs in some countries were slow to support DMARC (though this has changed in China, with Tencent now providing DMARC support for all its inbound email). Where local ISPs are slow to support DMARC, there may be less pressure for nearby companies to implement it as well. As the global rate of DMARC support among email receivers continues to rise, we expect that DMARC usage among FG500 domain owners will also rise.

Fortune Global 500: SPF Effectiveness No SPF

31.1% Valid SPF

61.5%

TOTAL DOMAINS

499

Invalid SPF

7.4%

[email protected]

www.valimail.com


Large U.S. Banks

|

U.S. Banks $1B+

We used the Dun & Bradstreet database to compile a list of U.S. Fraud Protection Rate

banks and financial institutions (excluding insurance companies) with annual revenues of $1 billion or more. We then analyzed the

10.1%

email authentication status of these 138 companies.

DMARC Success Rate

31.8%

Large U.S. Banks: DMARC Enforcement Protected by DMARC

10.1% (14)


No DMARC

19.6% (27)

68.1% (94)

TOTAL DOMAINS

138

Invalid DMARC

2.2% (3)

What we found is encouraging: Big U.S. banks have a higher rate of protection from email fraud than almost any other category we studied (apart from unicorns). More than 10 percent of banks have deployed DMARC and set it to an enforcement policy that protects them from being impersonated by email fraudsters. On the down side, only 31.8 percent of banks that have deployed DMARC records have achieved fraud protection. Increasing the effectiveness of their DMARC usage is the single most effective thing banks could do to protect themselves from email fraud. If the 27 banks in this group that have published valid DMARC records but haven’t set them to enforcement policies did nothing more than switch their DMARC policies to reject or quarantine, this alone would triple the fraud protection rate of this category, to 30 percent.

Large U.S. Banks: SPF Effectiveness No SPF

27.5% Valid SPF

65.2%

TOTAL DOMAINS

138

Invalid SPF

7.2%

[email protected]

www.valimail.com

13


Large U.S. Health Care Companies

U.S. Health Care $1B+ Fraud Protection Rate

3.7%

ValiMail’s analysis of the U.S. health care sector focused on health care providers and health insurers with annual revenues of $1 billion or

DMARC Success Rate

more. This group of 214 companies, unlike comparable companies

17.0%

in finance, are far behind the curve in terms of protecting themselves against email impersonation.

Large U.S. Health Care Companies: DMARC Enforcement Protected by DMARC

3.7% (8)


17.1% (37)

No DMARC

78.2% (169)

TOTAL DOMAINS

216

Invalid DMARC

0.9% (2)

Just 3.7 percent of large U.S. health care companies are protected from email fraud by DMARC enforcement. And of those companies that have published DMARC records, only 17 percent have succeeded at achieving enforcement. This sector also lags in its usage of SPF, a much older and more well-understood technology. Fully 36 percent of health care companies lack SPF records on their primary domains, while only about half have valid SPF records. Clearly, big health care companies have some distance to go in protecting themselves against email fraud. Too many of these companies remain vulnerable to impersonation.

Large U.S. Health Care Companies: SPF Effectiveness No SPF

36.6% Valid SPF

51.4%

TOTAL DOMAINS

216

Invalid SPF

12.0%

[email protected]

www.valimail.com


Large U.S. Tech Companies

|

U.S. Tech $1B+

Using Dun & Bradstreet, ValiMail compiled a list of 86 U.S. tech DMARC Success Rate


companies with $1 billion or more in revenues. Unsurprisingly, these tech-centric companies are reasonably savvy when it

9.3%

comes to the technology of email authentication, with a higherthan-average rate of fraud protection. Their success rate at

20.0%

implementing DMARC is also higher than average, at 20 percent.

U.S. Tech Giants: DMARC Enforcement Protected by DMARC

9.3% (8)


No DMARC

32.6% (28)

53.5% (46)

TOTAL DOMAINS

86

Invalid DMARC

4.7% (4)

However, that leaves a pretty large slice (32.6 percent) that have valid DMARC records but have not reached enforcement. These companies are well ahead of the curve in implementing SPF. Only 11.6 percent of these tech giants have no SPF record at all. However, a surprisingly large proportion — 18.6 percent — have invalid SPF records. This may reflect the complexity of their tech environments. Or it may be that their employees are more likely to deploy “shadow IT” cloud services, making it hard for IT managers to configure and maintain SPF records that authorize every legitimate sender.

U.S. Tech Giants: SPF Effectiveness No SPF

11.6% Invalid SPF

Valid SPF

69.8%

TOTAL DOMAINS

86

18.6%

[email protected]

www.valimail.com

15


Cybersecurity Companies

BVP Cyber Index Fraud Protection Rate

3.8%

In previous research, we found the email authentication status of cybersecurity companies wasn’t pretty.13 To check the state of

DMARC Success Rate

the industry today, we used the Cyber Index created by Bessemer

7.7%

Venture Partners.14 It’s a list of 27 publicly traded cybersecurity companies, of which 26 have actively used domain names.

Cybersecurity Companies: DMARC Enforcement Protected by DMARC

3.8% (1)


42.3% (11)

No DMARC

50.0% (13)

TOTAL DOMAINS

26

Invalid DMARC

3.8% (1)

The results are stark. Just one company in the whole list has a valid DMARC record with a policy of enforcement, and that’s Splunk. Of the 12 companies that have published DMARC records, one is invalid, and the rest are valid but in monitoring mode. These companies fare better with SPF usage, with 77 percent having valid SPF records in DNS. Only one company has not published an SPF record, but another five have SPF records that are not valid. At the risk of over-generalizing from a small data set, it appears that cybersecurity leaders are not doing particularly well in protecting themselves against email fraud through DMARC.

Cybersecurity Companies: SPF Effectiveness No SPF

3.8%

Invalid SPF

Valid SPF

76.9%

TOTAL DOMAINS

26

19.2%

[email protected]

www.valimail.com


Crunchbase Unicorns

|

Unicorns

We examined the domains of all 267 “unicorns” on the Crunchbase DMARC Success Rate


Unicorn List, a compilation of privately-held startups with valuations of at least $1 billion.

15

12.4%

Not surprisingly for this set of young and tech-forward companies,

39.8%

10.4% of unicorns are protected from email fraud by DMARC, the highest rate of any category we studied.

Crunchbase Unicorns: DMARC Enforcement Protected by DMARC

12.4% (33) Valid DMARC, not enforced

15.0% (40) Invalid DMARC

3.7% (10)

No DMARC

68.9% (184)

TOTAL DOMAINS

267

Unicorns also lead with a 39.5% fraud protection success rate among those that have deployed DMARC. And SPF is widely deployed and well-understood among unicorns, with about 66 percent having valid SPF records, and just 17 percent lacking SPF altogether. It’s tempting to attribute these high success rates to the tech savviness of unicorns. Another plausible explanation: Because these companies are younger, they have simpler IT infrastructures, with fewer services that send email on their behalf, making the process of configuring and maintaining SPF and DMARC that much easier.

Crunchbase Unicorns: SPF Effectiveness No SPF

16.9% Invalid SPF

Valid SPF

65.9%

TOTAL DOMAINS

267

17.2%

[email protected]

www.valimail.com

17


DMARC Support Among Email Receivers Email authentication policies published by domain owners would be worthless if email receivers did not check for such policies and enforce them when they exist. To make an analogy, it would be like a credit card authorization network that lacked point-of-sale terminals. Unless merchants check the authenticity of credit cards by swiping them (or inserting them into chip readers), such a network would be useless in stopping the fraudulent use of credit cards. So too with email: For DMARC to work, email receivers need to check the authenticity of inbound messages by looking for DMARC records published by the domain that each message appears to come from. Fortunately, the vast majority of email receivers worldwide already do this. Research published by ValiMail in October, 2017 found that 76 percent of the world’s email inboxes — 4.8 billion inboxes in all — are hosted by ISPs and mail providers that enforce DMARC policies if they exist.16 This is a sharp rise from 2015, when just 2.7 billion inboxes (62 percent) were covered by DMARC support. The list of email account providers supporting DMARC enforcement now includes 100% of the major American email providers, plus most of the major global players: Gmail, Oath, Microsoft, Comcast, AT&T, Tencent, Netease, Mail.ru, British Telecom, Virgin Media, and Italia Online. DMARC support lags in a few countries, such as Germany and Japan. However, the overall picture is clear: The vast majority of ISPs around the world will enforce email authentication for those domains that have published a DMARC record and set it to enforcement.

DMARC Support Among ISPs (Worldwide) Don’t Support Enforcement

Support Enforcement

10

Inboxes (billions)

8 6 4 2 0

1.5 1.6 4.8 2.7 2015

76% Support Enforcement

2017

[email protected]

www.valimail.com


|

Conclusions DMARC deployment is growing, but too many large companies have yet to deploy it. The high incidence of invalid SPF and DMARC records among those who deploy them indicate ongoing challenges getting these configured and maintained. What’s more, among those companies that do publish DMARC records, too many of them are leaving their policies in a non-enforcing state, which leaves these companies open to impersonation and fraud. This is a serious security problem, given how pervasive same-domain phishing attacks are. These attacks, which directly impersonate the email address of a trusted sender, are the largest single vector through which cyberattacks start, causing billions of dollars in damage annually. Closing the door to email impersonation attacks is urgent. One likely culprit for the low rate of email authentication: The complexity of modern IT environments. Most companies, particularly those that are larger, older, or which have grown through acquisition, utilize dozens of cloud services, many of which send email to customers, employees, and partners. Ensuring that those services’ emails are properly authenticated is an ongoing challenge, particularly given the limitations of SPF. Our findings confirm and extend results published by the Online Trust Alliance, Farsight, Agari, and others that have looked at DMARC adoption among domain owners.17 By extending our analysis to the million most popular domains on the internet, as well as the ISPs and email providers who receive email, we believe this is the most comprehensive picture of the DMARC ecosystem to date.

Definitions Enforcement: We define “enforcement” as a DMARC policy of reject or quarantine. A DMARC policy set to quarantine (denoted in the record by the tag “p = quarantine”) directs receiving mailboxes to place messages failing authentication into spam boxes. A policy set to reject (denoted in the record by the string “p =reject”) directs mailboxes to delete the message and therefore prevent delivery of the message entirely. Monitoring mode: A DMARC policy of “none” (indicated by “p =none”) instructs mailboxes to deliver messages normally, even if they fail authentication. This provides no protection against fraudulent messages, but it does allow domain owners to monitor which IP addresses are sending messages on their behalf.

[email protected]

www.valimail.com

19


Methodology ValiMail performed a wide-ranging examination of email authentication policies for more than one million domain names in October, 2017. These policies are published in publicly-accessible DNS records so that receiving mailboxes can determine which messages are authorized. These policies conform to the industry standard called DMARC (Domain-based Message Authentication, Reporting & Conformance), which is utilized by 4.8 billion mailboxes globally to authenticate inbound messages and to make delivery decisions based on what the domain owner’s DMARC policy specifies. We also examined these domains for DNS records published according to the Sender Policy Framework (SPF) standard. By examining these records ValiMail was able to determine the following factors:

Has the domain name owner created a DMARC record?

Does that record follow correct syntax so that it is valid and complete according to the standard?

If the record is valid, does it direct mail receivers to delete or quarantine messages that fail

authentication? We refer to this as a policy of enforcement.

Has the domain owner created an SPF record?

Is the SPF record correctly formed? This includes checking whether it follows correct syntax,

as well as checking whether it exceeds the 10-domain lookup limit imposed by the SPF standard.18

Our 2016 report used the Alexa 1 Million, a list which is no longer available. Instead, we used the domains found in the Majestic Million (actually 999,998 domains — two entries were not valid domains). We created subsets of the Majestic Million with the top 100,000 and 10,000 domains, which we call the Majestic 100k and Majestic 10k, respectively. Sites in each of these subsets still appeared in the larger Majestic lists. Some companies’ domains also appear in the Majestic lists, and may appear in more than one category list (for instance, a large, publicly traded bank listed on the NYSE would appear both on the top banks list and on the NYSE list). DMARC and SPF records are publicly available in DNS, and if they are published, they will be used by receiving mail servers. That makes this analysis an effective and accurate way to survey the usage of these forms of email authentication across a wide set of domains. Note that it’s impossible to survey DKIM usage among domains in this way, because DKIM records are only accessible via email messages that indicate specific “DKIM selectors” — there’s no public access to DKIM records apart from that. (Also, the presence of a DKIM record in DNS does not necessarily mean it’s being used by that domain, since senders can choose to use among any of the available selectors for their domain, or none at all.)

[email protected]

www.valimail.com


|

Endnotes 1

Radicati Email Statistics Report 2017-2021: https://www.radicati.com/wp/wp-content/uploads/2017/01/ Email-Statistics-Report-2017-2021-Executive-Summary.pdf 2

Anti-Phishing Working Group: http://docs.apwg.org/reports/apwg_trends_report_q4_2016.pdf

PhishLabs Q2 2017 Phishing Trends report: https://info.phishlabs.com/q2_2017_phishing_trends_and_ -intelligence_report 3

Proofpoint Quarterly Threat Reports 2016-2017: https://www.proofpoint.com/us/quarterly-threat summary GreatHorn Cloud Email Security Challenge: http://info.greathorn.com/cloud-email-security-challenge 4

DHS Binding Operational Directive 18-01: https://cyber.dhs.gov/

5

Global Cyber Alliance and ValiMail: https://www.globalcyberalliance.org/76-percent-inboxes-worldwide now-enforce-email-authentication-senders-enable.html 6

Farsight and DMARC.org: https://dmarc.org/stats/farsight/dmarc/

7 IronScales 2017 Email Security Report: https://www.infosecurity-magazine.com/news/phishing-remains top-attack-vector/

PhishMe: https://www.darkreading.com/endpoint/91--of-cyberattacks-start-with-a-phishing-email/d/ d-id/1327704 Verizon: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ 8

ProofPoint: https://www.proofpoint.com/us/quarterly-threat-summary

GreatHorn: “The Cloud Email Security Challenge”: http://info.greathorn.com/cloud-email-security challenge 9

ValiMail Industry Report 2016: http://www.valimail.com/resources/product-literature

10

Great Horn 2017 Spear Phishing Report: http://www.businesswire.com/news/home/20170131005189/ en/GreatHorn%E2%80%99s-2017-Spear-Phishing-Report-Shows-91 11

Accenture 2017 Cost of Cyber Crime Study: https://www.accenture.com/us-en/insight-cost-of-cyber crime-2017 12

Majestic Million: https://blog.majestic.com/development/majestic-million-csv-daily/

13

ValiMail: Even Cyber Security Leaders Struggle With Email Safety: https://blog.valimail.com/even cyber-security-leaders-struggle-with-email-safety 14

BVP Cyber Index: https://www.bvp.com/strategy/cyber-security/index

15

Crunchbase Unicorn List: https://techcrunch.com/unicorn-leaderboard/

16

ValiMail: https://blog.valimail.com/76-percent-of-inboxes-worldwide-now-enforce-email-authentication if-senders-enable-it 17

Online Trust Alliance: https://otalliance.org/HonorRoll

Farsight: https://dmarc.org/stats/farsight/dmarc/ Agari: https://www.agari.com/news-and-press-releases/research-fortune-500-fail-protect-customers phishing/ 18

ValiMail: https://blog.valimail.com/two-common-problems-with-spf-youre-probably-overlooking

[email protected]

www.valimail.com

21

About ValiMail ValiMail has developed the world’s first cloud service that fully automates email authentication, giving our customers brand and fraud protection across 4.8 billion mailboxes worldwide. ValiMail enables organizations to stop phishing attacks, control shadow email, and improve the reputation of their email domain. ValiMail’s patented, standards-compliant technology provides the only zero-administration solution to enable trusted email for enterprises. Customers include Uber, Fannie Mae, Yelp, Twilio, Time Warner, Square, OpenTable, and City National Bank. Founded in 2015, ValiMail is based in San Francisco and is backed by Shasta Ventures, Flybridge Capital Partners, and Bloomberg Beta. For more information visit www.ValiMail.com.

[email protected]

www.valimail.com