• by Ray Schultz , February 21, 2018

Web-hosting services that target small businesses are failing to provide email authentication and anti-phishing technologies, according to a report by the Federal Trade Commission.

Of 11 services studied, few offer straightforward access to those security technologies, putting SMBs at risk of email phishing scams, the FTC says.   

For example, none offer support for Domain Message Authentication Reporting And Confirmation (DMARC) as a standard feature of their services. And three out of 11 provide no means to configure DMARC.

Use of DMARC is possible with eight of the services, but SMBs have to configure it on their own -- something few have the expertise to do, the FTC says 

In addition, only one host supplies Sender Policy Framework (SPF) by default, and none support it. The remainder allow it to be independently configured. And two deliver DomainKeys identified Mail (DKIM) by default. One host does not support DKIM.

Moreover, documentation on how to implement authentication is difficult to find on hosts’ websites. Only three provide input on DMARC. 

The FTC reports that small firms are less likely than larger ones to use email authentication technologies, and that popular sites are more likely to employ DMARC.

SMBs are much more likely to employ SSL/TLS technology than email authentication. Eight sites integrate SSL/TLS  as part of their setup cost.

The research was conducted by the FTC’s Office of Technology Research and Investigation. It was prompted by a series of roundtable discussions held by the FTC last year.