This blog post covers key takeaways from our 2021 Industry Cyber-Exposure Report (ICER): Fortune 500. Original analysis for these findings was conducted by Kwan Lin.
We all know and love—or at least begrudgingly rely upon—email. It is a pillar of modern communications, but is unfortunately also highly susceptible to being leveraged as a mechanism for malicious actions, such as spoofing or phishing.
A core concern regarding email is the authenticity of the source, and in recent years, Domain-based Message Authentication, Reporting and Conformance (DMARC) has arisen as the preeminent email validation system. DMARC builds upon the foundations of two older email authentication systems, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), which respectively check for mail-server authorization (“Is the sender authorized?”) and email integrity based on key signatures (“Was the content altered?”). The various components of DMARC can serve to mitigate direct threats as well as potential reputational damage, such as spoofed emails intended to mislead partners, suppliers, or customers.
A properly implemented DMARC system can identify illegitimate emails and define how they should be handled. DMARC can be configured to handle emails of suspect provenance with different degrees of severity, depending on the aggressiveness of IT administrators. The DMARC policy options include:
- `None`, where suspect emails are reported to a designated email address that serves to monitor DMARC notifications.
- `Quarantine`, where suspect emails are punted to the spam folder and a report of its receipt is delivered to the monitoring email address.
- `Reject`, where in addition to notifying the monitoring email address, suspect emails are not delivered at all.
By virtue of its efficacy in mitigating malicious messaging via email, we consider DMARC a significant risk mitigator and highly recommend its implementation. Unfortunately, while the benefits of DMARC are profound, its implementation is not global.
DMARC's implementations are tracked in public Domain Name System (DNS) records. To determine whether an organization utilizes DMARC only requires the examination of the organization’s published DMARC record. We are able to discern the scale and types of DMARC implementations by comparing the primary, well-known domains of the Fortune 500 organizations against their corresponding DMARC records that appear alongside DNS.
These published DMARC records are intended to be highly accessible. They are the means through which email recipients determine how to validate emails using DMARC, what email address to notify when receiving emails that fail DMARC validation, and what DMARC policy to apply in handling invalid emails.
Email security in the Fortune 500
How is the Fortune 500 doing with regard to DMARC implementation? Not too shabby. While the coverage is not complete, we found that 379 (approximately 76%) of the Fortune 500 had implementations of DMARC, all of which were valid.
Email security by industry
We find that in absolute terms, there are clear variations in terms of DMARC saturation for the different industries represented in the Fortune 500. When we examine the financials industry, for example, we find that many organizations are quite aggressive with their DMARC implementation with a reject policy in place, with a nearly equal number of organizations configured to simply monitor. The high degree to which DMARC is present for the financials sector is unsurprising, given that financial organizations were some of the earliest adopters of DMARC.
Somewhat disheartening is the lack of any DMARC implementations across all other industries, to some extent. For opportunistic attackers who might leverage email as a means of exploitation, no industry is categorically off-limits.
It is worth noting that while the state of DMARC across the Fortune 500 is not perfect, there has been respectable progress. From 2019 to 2020, the number of organizations within the Fortune 500 that had no valid DMARC implementations declined from 186 to 121—a difference of 65 organizations. The increased adoption of DMARC in that period corresponded with an increase of 51 DMARC records set to reject (a 75% increase), as well as an increase of 15 records set to quarantine (a 55% increase).
The number of domains that persisted from year to year with a DMARC policy of `none` (i.e., report only, but take no action) remained fairly constant. This implies that there were a sizable number of organizations that adopted a set-it-and-forget-it attitude. They probably implemented a minimum standard of DMARC at some point because it was recommended, but have since either forgotten about it or have chosen not to improve on it, neither of which are ideal.
Nonetheless, in 2020, the Fortune 500 in aggregate became notably more hardened to illegitimate emails.
Takeaways for CISOs
If DMARC has not already been implemented in your organization, take proactive measures to set it up.
Nowadays, DMARC can be thought of as a foundational fixture of email hygiene, and it broadly signals an organization’s commitment to modern information security norms. Furthermore, lacking a DMARC implementation leaves an organization potentially blind to malicious email campaigns not captured through some form of DMARC monitoring that can be informative in terms of scale, source, and severity.
Once the decision has been made to implement DMARC, it’s time to consider the policy implementation in a more nuanced manner. An aggressive reject policy is highly secure, but might result in legitimate emails being blocked. A more forgiving quarantine policy could strike a balance between preventing aggravation while allowing for some form of recourse. At the very minimum, a DMARC implementation of some form should be in place to monitor for illegitimate or poorly configured email traffic.
Want to learn more about the internet-facing cyber-exposure of the Fortune 500? Read our 2021 Industry Cyber-Exposure Report (ICER): Fortune 500.