As a Strategic Project Manager for the Email Fraud Protection Team at Return Path, I get this question a lot: How effective is DMARC at blocking phishing attacks?
To help answer it, I thought it would be interesting to publish a brief analysis of three large global financial companies in different stages of the DMARC (Domain-based Authentication Reporting and Conformance) implementation journey.
As a reminder, there are three possible DMARC implementation stages: monitor, quarantine, and reject:
-
Monitor: If the DMARC policy is in monitor mode, the domain owner has requested no specific action be taken on mail that fails DMARC authentication and alignment.
-
Quarantine: If the DMARC policy is in quarantine mode, the domain owner has requested that mail failing the DMARC authentication checks be treated as suspicious by mail receivers (i.e. sent to the spam/junk folder and/or flagged as suspicious for the user).
-
Reject: If the DMARC policy is in reject mode, the domain owner requests that mail receivers reject the email that fails the DMARC before delivering it to the user inbox.
Meet the Companies
Company one in our analysis has successfully implemented a DMARC reject policy on all of their owned top-level domains and subdomains.
Company two has not yet implemented DMARC reject on any of their top-level domains. They have moved their non-sending (defensively registered) domain portfolio to reject, but none of their branded sending domains are protected in the same way.
Company three has implemented DMARC reject on about half of their sending domain portfolio, which includes some, but not all, of their top level domains.
The Analysis
To understand the effect DMARC has on reducing email fraud, we compiled the total number of phishing threats over a 60-day period against all company-owned domains (i.e. domain-spoofing threats) and domains not owned by the company (i.e. brand spoofing threats).
Domain spoofing threats leverage the owned domain of a brand in order to send malicious emails. Owned domains can be spoofed in the:
- Header From address (what users see in their email clients)
- Envelope From address (the technical header of the email)
Brand spoofing threats use tactics that trick customers into thinking an email is legitimate. These tactics include:
- Using a “look-alike” domain not owned by the brand (e.g., phish@c0mpany.com)
- Spoofing the brand in the subject line
- Spoofing the brand in the Display Name
The Results
Company one, whose domains were fully protected by a DMARC reject policy, had significantly less domain spoofing phishing attacks than the other two companies. Out of all the threats targeting this brand, only 20 percent were domain spoofing threats. In comparison, 93 percent of overall threats targeting company two and 87 percent of overall threats targeting company three were domain spoofing threats.
Company one’s DMARC reject policy also helped reduce the total phishing threat count as well. When looking at the overall number of email threats (both domain spoofing and brand spoofing) across all three companies, company one had the lowest amount of overall threats at only ten percent of what company two had in the same time period.
DMARC Works
This brief analysis clearly shows the significant impact of moving all owned domains into DMARC reject. Doing so not only helps reduce domain spoofing threats but also can result in fewer threats spoofing the brand in other ways.
The next logical question is how can brands eliminate these threats even further. To gain insight into top tactics cybercriminals are using to bypass email authentication and best practices for fighting back, download our whitepaper, The Email Threat Intelligence Report.