• by Jess Nelson , June 22, 2017

A new study from the Online Trust Alliance suggests the Internet’s most popular Web sites need to strengthen their email security.

Half of the top 100 retail companies in the U.S., and a third of the top 500, lack proper email authentication and security, according to a report released Tuesday by the Online Trust Alliance (OTA).

The OTA is a non-profit organization dedicated to enhancing online trust and promoting safer and more ethical data privacy practices, and is an initiative within the Internet Society (ISOC). Every year the OTA releases an annual audit examining the security of the Internet’s most popular Web sites, releasing an “Honor Roll” of companies that are protecting consumers from data theft and hacks. The 2017 Audit encompasses over 1000 Web sites, including Internet Retailer’s Top 100 and 500 Web sites, Federal government sites, and ISPs.

Inadequate email authentication was the primary cause for the OTA giving failing security grades to Web sites, according to the report, including 55% of the top 100 most used Federal Web sites.

Email authentication can help protect brands and consumers from receiving spoofed email with malicious content. It allows senders to dictate who is allowed to send email on their behalf, and what should be done to email messages that fail authentication.

There are several layers to email authentication, but the three most popular and respected policies are SPF, DKIM, and DMARC. SPF, or Sender Policy Framework, checks to see whether the IP address sending email has received permission to do so. DKIM, or DomainKeys Identified Email, checks the content of a message and associates an email with a domain name. DMARC, or Domain-based Message Authentication, Reporting & Conformance, is built on top of SPF and DKIM and tells mailbox providers what they should do with email that is not properly authenticated.

Across every Web site analyzed by OTA, 7.6% had an invalid SPF record. SPF is the first level of email authentication, but SPF adoption actually dropped year-over-year from 79.9% to 76.6%.

DKIM and DMARC adoption, on the other hand, both increased year-over year. DKIM adoption increased from 43.6% to 55.9%, while the use of DMARC records grew from 27.4% to 34.3%. The use of DMARC quarantine records, a more strict form of DMARC that halts any invalid mail instead of just monitoring it, grew from 5.8% to 14.6% of all domain names.

The growth in email authentication adoption is a step in the right direction, but invalid records likely give companies a false sense of security. To ensure Web sites are doing the best to protect consumers, the OTA provided the following recommended steps.

OTA’s Best Practices for Email Authentication:

• Implement both SPF and DKIM for top-level domains, “parked” domains (not used for email) and any major subdomains seen on Web sites or used for email
• Optimize SPF records with no more than 10 DNS lookups
• Implement DMARC, initially in “monitor” mode to get receiver feedback and verify accuracy of email authentication, and eventually to assert a “reject” or “quarantine” policy to receivers
• Mandate the use of DMARC reporting capabilities with RUA and RUF reporting
• Implement inbound email authentication checks and DMARC on all networks to help protect against malicious email and spear phishing purporting to come from legitimate senders
• Implement opportunistic TLS to protect email in transit between mail servers
• Ensure that domains are locked to prevent domain takeovers
• Implement DNSSEC to help protect a site’s DNS infrastructure
• Deploy IPv6
• Implement Distributed Denial of Service (DDoS) mitigation technologies and processes
• Implement multi-factor authentication