• by Ray Schultz , Columnist, July 31, 2017

It should be easy to find a good email authentication service: Just go to a conference like Black Hat USA 2017 and visit an exhibit at random. Right?

Not exactly.

Out of that event last week came the news that only 18 of the 268 exhibitors have deployed Domain-based Message Authentication, Reporting & Conformance (DMARC), the anti-phishing and spoofing tool launched in 2012. This was based on research by the Global Cyber Alliance (GCA), an international group set up to fight cyber crime.    

The GCA added that 54 have begun deployment, but are at the lowest level. The result is that over 73% of the exhibitors — companies that “sell their cybersecurity products and expertise,” as the GCA puts it — have not deployed DMARC.

It was already common knowledge that the government was lagging in this area. Earlier this month, Senator Ron Wyden (D-OR) wrote to the Department of Homeland Security, demanding that that it “take immediate steps” to require all federal agencies to implement DMARC.

He noted that only a few federal agencies are using DMARC. And the IRS has put it to use in a “restrictive mode,” protecting itself but not taxpayers 

But private enterprise?

In February, the GCA examined the email domains of companies exhibiting at the RSA Conference, a large gathering of cybersecurity experts. Of 587 domains that it scanned, only 15% use DMARC.

And of the 111 firms that do use DMARC, over 70% use it in a limited way: They have chosen the DMARC policy of “none,” which monitors only for malicious email, reducing its effectiveness, according to the GCA. 

Apparently, Wyden got it wrong when he wrote that “industry standard technologies exist, and are already used throughout the private sector.”

Why is DMARC so important?

According to the GCA, companies using DMARC receive 23% of the email threats that non-users suffer.

And it’s relatively easy to implement. DMARC is supported by 85% of all consumer inboxes, including those provided by Gmail, Yahoo and Microsoft. It can be used in roughly 2.5 billion email inboxes worldwide, the GCA reports.

So there is little excuse for the widespread neglect of the technology, the GCA maintains.

“The cyber industry should lead in deployment of solutions,” states Philip Reitinger, president and CEO of GCA. “DMARC works. It reinforces trusted relationships with partners, customers and employees.” He adds, “collectively, we must focus on implementing solutions. If we lead the way, we know others will follow.”

So what should you do? Marketers should find one of the suppliers that offer it. Granted, you may to walk through a great deal of exhibit hall space.

And the vendors themselves should consult the GCA. It is offering a DMARC setup guide to help them through the process. The GCA acknowledges that putting DMARC into play can be a challenge, but it also provides videos and other training resources.

Is the GCA guilty of a little bit of hype in pushing this solution? We’d hardly say so, given the wave of spoofing attacks that have occurred.

DMARC will have to do until something better comes along.