Poor Rates of DMARC Adoption Help Perpetuate Email Spoofing

Analysis performed of domains used by Fortune 500 companies, U.S. government agencies, and other major organizations reveal nearly 80 percent don’t use DMARC, or Domain-based Message Authentication, Reporting & Conformance. It is a protocol that works on top of email servers that already support the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It lets email server administrators put policies in place that can detect when an incoming email is lying about its real “From:” address. It’s the best mechanism companies have at their disposal today for detecting spoofed emails that claim to come from an employee or a contractor, but in reality come from a threat actor trying to pose as a legitimate sender. However, as shown by the analysis, companies are not taking advantage of the protocol, despite the fact that DMARC has been around for years. One of the types of cyber attacks that can be facilitated through spoofing, business email compromise (BEC) scams, are well-known to the water and wastewater sector, having targeted many utilities. Admittedly, DMARC can be hard to implement. But once it’s enabled, it can help companies protect themselves against one of today’s most prevalent forms of cybercrime. Read the article at ZDNet.