back to article DMARC anti-phishing standard adoption is lagging even in big firms

Big-name companies are still leaving themselves and their customers open to phishing because they haven't implemented the DMARC message validation standard. In this year's DMARC adoption report [PDF], phishing prevention specialist Agari reckons two-thirds of the Fortune 500 are yet to implement Domain-based Message …

  1. Andrew Commons

    Email is a cess-pit

    Companies don't care about their customers and also outsource a lot of the email to them. Then you have the fact that this is MTA to MTA technology rather than down at the client level and it is now down to the customer ISP to implement it to help the customer.

    Use by companies to protect themselves is also non-trivial. Outsourcing and partnership arrangements that originate emails as if they were internal have to be dealt with...and you will find a lot of shadow technology once you embark on this path!

  2. john.jones.name

    BANKS really you send transaction records and dont protect ?

    I have to say I dont really understand why banks do not have SPF + DKIM

    it costs them nothing compared to the fines they might incur in the future

    there just is not an excuse for DKIM and SPF records not being present, DMARC is a feedback loop so I can understand lagards but really banks send out a receipts via email and can be trivially spoofed

    is paypal really the only one to have figured this out ?

    1. EnviableOne

      Re: BANKS really you send transaction records and dont protect ?

      but they havent worked out you can hack SS7 to redirect SMS and still leave this as their 2FA setting which is more worrying than not using DMARC

    2. Anonymous Coward
      Anonymous Coward

      Re: BANKS really you send transaction records and dont protect ?

      Banks need to take on board DNSSEC first, the dozy useless incompetent plonkers. (Well, I'm sorry, but I've been telling them for a decade now...) Anyway the first time my bank tries to send me a statement by email will be the last time they ever feel the need because I'll promptly close the account.

      Paypal could help everybody by not sending out mail containing HTTP links that look like they're a bunch of scammers. But I only started telling them that a couple of years ago (shortly after I started dropping anything even vaguely resembling mail from Paypal), so I'm not going to call them names. Well, except maybe 'a bunch of scammers'. And if they don't like that, all they have to do is give me back my money. With interest, of course. Lots of interest. And penalties. Huge penalties. And a public apology. Very public.

  3. Drew 11

    Perhaps if the email clients started colouring all non-DMARC emails red, the uptake would increase?

    Although since the browser authors are dragging the chain on DANE, I'd suspect this idea wouldn't fly either.

    1. dominicr

      There's a nice Thunderbird Add-on called 'DKIM Verifier' which pretty much does this.

  4. John Smith 19 Gold badge
    WTF?

    Not many people will get on a plane from Russia to try the doors of a building in Kansas City

    Because that would be stupid.

    But email....

    They can "try the doors" of every company in the Fortune 500 (and Kansas City) in 5 minutes.

    Just like every other of their Black hat buddies across the globe, until they find someone (anyone) to open their carefully crafted missive and it's "surprise" package. :-(

    CEO's bang on endlessly about their "Corporate leadership."

    Why don't they start showing some?

  5. taxman

    “Deploying a DMARC policy where p=none along with a relevant SPF record is simple, but it is only the first step......"

    Just having a DMARC record in place is a chocolate fireguard. Perhaps when writing reports like this the folk concerned really should make it clear that you also need a SPF or DKIM as well - as a minimum. But best to have both.

    And yes we all know that DMARC+SPF alone "can" break when mail servers forward mail when p=reject. Particularly when mail forwarders or loadbalancers overwrite/insert their sending IP address in the header :-(

    1. Anonymous Coward
      Anonymous Coward

      AFAIK DMARC will work properly if and only if both SPF and DKIM are properly configured. What actually DMARC does is to tell the receiving server what to do when SPF/DKIM checks fail, and how to notify you.

      Of course with p=none if SPF/DKIM are not (properly) configured messages will still be accepted. Using "quarantine" or "reject" need a fully working setup. Usually "none" is used in the beginning to monitor DMARC/SPF/DKIM are correctly configured, then "quarantine" can be used. "reject" requires very strict setups and mail policies to ensure messages are not bounced.

      Third party bulk email system will of course have issues, but that's another good thing about DMARC.

  6. Solarflare

    DMARC? Getting ahead of yourself there. It's still impossible to turn SPF on properly as so many ISPs and companies don't have proper SPF records...

    1. sitta_europea Silver badge

      "It's still impossible to turn SPF on properly as so many ISPs and companies don't have proper SPF records..."

      Bollocks.

      1. gnarlymarley

        "It's still impossible to turn SPF on properly as so many ISPs and companies don't have proper SPF records..."

        Bollocks.

        How would you help a company or ISP correct their SPF records unless SPF is turned on? Those of us who have had SPF turned on for many years must not be interacting with those ISPs or companies that you deem as broken, because of the success that we have had while using it. As a side note, (and why I would probably agree with sitta_europea) is that you can turn on SPF in test mode, which will let you still accept email from places that are not supposed to be sending it. (I call those places as scammers, and that is when it quickly was turned fully on for me.)

        SPF was never meant to block SPAM. Its only goal is to get folks using the correct envelope from instead of lying about it. (Note, the envelope from is different than the from folks usually see on emails and usually is noted a "via" in the major email providers.)

        1. Ken Moorhouse Silver badge

          Re: because of the success that we have had

          A problem I frequently see is emails suddenly not being received when a company has been emailing them on a daily basis for years on end. The sales people tend to jump to it being at the recipient end ("check your spam folder"), but when I investigate it often transpires that the sender's IT department have moved from on-premises to cloud without modifying the SPF record.

    2. Ken Moorhouse Silver badge

      Email sent from Outlook

      If you are using the MS Outlook service then you have SPF. However, my belief is that that SPF record is the same as everyone else using Outlook. So if you are an Outlook user surely there is a risk that you can spoof the email of any other Outlook user? (I would hope that Outlook checks headers for account consistency). Ok there is a traceable trail back to you, but by then the damage may have already been done. I'm not going for a Proof of Concept on this as I value not having my broadband account closed down.

      1. gnarlymarley

        Re: Email sent from Outlook

        f you are using the MS Outlook service then you have SPF.

        Last time I looked at MS Outlook, it was using SenderID (which is not SPF). If they are now using a true SPF, then cool.

        1. Ken Moorhouse Silver badge

          Re: If you are using the MS Outlook service then {potentially} you have SPF.

          When I originally posted that I forgot the word "potentially" and hoped that people would infer that. Apologies. Outlook has - as I see it when looking at SMTP logs - a daisy-chain SPF record which third-parties can harness, but can see no exclusivity built-into that arrangement. Everyone sends out using those same addresses.

          gnarlymarley: If my understanding is incomplete, I would be grateful for you to fill in the gaps!

  7. Anonymous Coward
    Boffin

    Sir Humphrey is keen.

    Gov. Depts. are pushing ahead with this as the Public Service Network which handles .gsx/.gsi email will cease to be a thing in Sep 2018 so internet carried email security needed to be improved.

  8. Anonymous Coward
    Anonymous Coward

    SPF is broken by design

    SPF creates much more problems than it solves. It might be ok for your private mail domain but it's definitely not useful in a corporate setting.

    DKIM combined with a suitable policy in DNS is in my opinion a better and worthwhile solution.

    1. gnarlymarley

      Re: SPF is broken by design

      SPF creates much more problems than it solves.

      Everything has problems if you do not know how to use it. SPF along with SRS, is flawless if used "correctly". I have been running SPF and SRS for over six years now and have never seen any issues. SPF took me about a day to get correctly. SRS took me about few months to figure out. With "both of them" working, I have not had any issues. I am still trying to get my head around DMARC. Had I have started with DKIM like you did, it is possible that I might have taken your attitude. From what I have been able to gather DMARC uses both DKIM and SPF, so if you do not publish a SPF record, it is still using it.

  9. Yes Me Silver badge
    Devil

    DMARC is evil

    DMARC should have been strangled at birth. Like most miracle cures, it doesn't work (except in the narrow sense of CYA for major providers like Yahoo) and it breaks stuff (such as most mailing list setups). Enterprise users should avoid DMARC like the plague, and definitely never honour a DMARC p=reject policy. Even p=quarantine will consign valid email to the spam folder.

    1. dominicr

      Re: DMARC is evil

      Not ture - an enforced DMARC policy (p=reject or p=quarantine) combined with DKIM is very effective. Email relaying does not break it. The only serious real-world problem for DMARC is mailing lists - IMO the fault lies with them not with DMARC. ARC is a work-in-progress solution for this. I'm amazed that more people aren't concerned that emails from their domains are being faked all round the world all the time, because they don't bother with an enforced DMARC policy.

  10. Anonymous Coward
    Anonymous Coward

    When almost all major providers can't get some basics right, what hope is there for the rest.

    Accept mail but not deliver it reliably - that makes you part of the problem. Most major providers do this, but there really is no excuse for not doing things properly and that means DO NOT ACCEPT A MESSAGE THAT YOU AREN'T GOING TO DELIVER - and that means doing all your checks, policy application, virus & malware scans BEFORE you send that "OK, I've got that message" response at the end. It isn't hard to do this right.

    After that, THEN start trying to fix the other stuff - most of which comes under the category of "we don't care how much hassle we cause others, we're big enough to tell them to ****-off".

    The servers I run are reliable. Except under exceptional circumstances they will either deliver the message, or they won't accept it (the latter causing a bounceback for legitimate mail so the sender KNOWS that it wasn't delivered). Of course, having got this all working very nicely, my employer has decided to get rid of all of us who know this stuff (and maintain it) and push people to Office "we don't reliably deliver mail" 365.

  11. batfastad

    SPF

    "It's still impossible to turn SPF on properly as so many ISPs and companies don't have proper SPF records..."

    The problem I found was the reverse. Big ISPs mis-configuring their relay clusters to forward instead of relay/re-envelope. At one time if you had a strict SPF, noone forwarding their mail to @btinternet.com or @yahoo.com and countless more would receive mail from you because they were (still are?) trying to spoof your source domain, which you were stopping with your strict SPF.

    I still run my own e-mail but have moved on from running corporate e-mail several years ago, because f*ck th*t.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like