• by Jess Nelson , December 6, 2016

Three-quarters of large businesses that attempt to authenticate their emails with DMARC have failed to do so correctly, according to a recent study by email security company ValiMail, leaving many of the Internet’s most popular domains vulnerable to phishing attempts.

DMARC, or Domain-based Message Authentication, Reporting and Conformance, is an email authentication tool that helps safeguard brands from phishing and spoofing attempts. It’s an upgrade from the more traditional authentication technologies SPF and DKIM that were originally developed over a decade ago.

ValiMail examined the email authentication policies for more than one million business domain names, including every brand on the S&P 500, Fortune 1000, NASDAQ 100 and the UK’s FTSE 100, to determine whether brands were properly utilizing DMARC to block unauthorized email. ValiMail was able to determine which businesses were actively authenticating their emails by examining the DNS record for each domain names.

Although large companies are more likely to attempt to authenticate their emails with DMARC, enterprises seem to be experiencing challenges identical to those faced by smaller companies with fewer resources. The failure rates across all groups analyzed by ValiMail range from 62% to 80%, regardless of company size and resources. 

Without DMARC authentication, unauthorized parties can use a brand’s domain name to easily send emails, which can lead to a situation where cybercriminals are able to conduct a phishing attack that could result in a data breach, compliance issues or loss of brand trust.

“Marketers need to understand that if you’re sending emails out as your company, and a criminal then sends email as you, your brand trust will plummet,” says Alexander Garcia-Tobar, CEO at ValiMail. “You have to do this [DMARC] if you want consumers to keep reading your email.”

Ultimately, DMARC will become a whitelist of authenticated senders, said Garcia Tobar, speaking with Email Marketing Daily at the Email Insider Summit in Park City, Utah.

Garcia-Tobar says DMARC is a layered defense, adding that he has seen interest and adoption rates spike in the past year. Once a majority of companies have adopted DMARC and stifled phishing attempts, cybercriminals will be forced to abandon their practices.

In a product demo, Garcia-Tobar illustrated the speed and ease of the process, which stands in contrast to the usual method of making a change to DNS, which usually takes weeks or potentially longer.

ValiMail provides a free online tool for brands to check whether or not their domain names have been authenticated properly and are protecting the company from phishing attacks.