DMARC ADOPTION AMONG e-retailers

Similar documents
DMARC ADOPTION AMONG e-retailers

DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

DMARC ADOPTION AMONG

DMARC ADOPTION AMONG

DMARC ADOPTION AMONG

DMARC ADOPTION AMONG

UK Healthcare: DMARC Adoption Report Security in Critical Condition

FRAUD DEFENSE: How To Fight The Next Generation of Targeted BEC Attacks

Getting Started with DMARC. A Guide for Federal Agencies Complying with BOD 18-01

Putting security first for critical online brand assets. cscdigitalbrand.services

Office 365: Secure configuration

Agari Global DMARC Adoption Report: Open Season for Phishers

A Federal Agency Guide to Complying with Binding Operational Directive (BOD) 18-01

Anti-Spoofing. Inbound SPF Settings

Getting Started with DMARC A Guide for Federal Agencies Complying with BOD 18-01

About Us. Overview Integrity Audit Fighting Malicious & Deceptive August 13, 2014

An Executive s FAQ About Authentication

Are You Protecting Your & Your Customers? Learnings from the 2017 OTA Trust Audit. August 1, 2017

Securing, Protecting, and Managing the Flow of Corporate Communications

Building a Scalable, Service-Centric Sender Policy Framework (SPF) System

Technical Brief: DYN DELIVERY

On the Surface. Security Datasheet. Security Datasheet

Communicator. Branded Sending Domain July Branded Sending Domain

building an effective action plan for the Department of Homeland Security

Table of content. Authentication Domain Subscribers Content Sending practices Conclusion...

Automatic Delivery Setup Guide

Optimization of your deliverability: set up & best practices. Jonathan Wuurman, ACTITO Evangelist

Trustwave SEG Cloud BEC Fraud Detection Basics

Phishing Discussion. Pete Scheidt Lead Information Security Analyst California ISO

Authentication GUIDE. Frequently Asked QUES T ION S T OGETHER STRONGER

Extract of Summary and Key details of Symantec.cloud Health check Report

DMARC Continuing to enable trust between brand owners and receivers

Ensure holiday s reach the inbox

TRANSACTIONAL BENCHMARK

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

REPORT. proofpoint.com

Security by Any Other Name:

How to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

Deliverability Terms

2015 Online Trust Audit & Honor Roll Methodology

Automatic Delivery Setup Guide

A Buyer s Guide to DMARC

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

THE CYBERSECURITY LITERACY CONFIDENCE GAP

Getting into Gmail and other inboxes: A marketer's guide to the toughest spam filters

2016 Online Trust Audit Authentication Practices Deep Dive & Reality Check

JAPAN CYBER-SAVVINESS REPORT 2016 CYBERSECURITY: USER KNOWLEDGE, BEHAVIOUR AND ATTITUDES IN JAPAN

with Advanced Protection

Machine-Powered Learning for People-Centered Security

Security & Phishing

TABLE OF CONTENTS Introduction: IS A TOP THREAT VECTOR... 3 THE PROBLEM: ATTACKS ARE EVOLVING FASTER THAN DEFENSES...

The Interactive Guide to Protecting Your Election Website

GDPR: An Opportunity to Transform Your Security Operations

2013 Contact Data Quality Benchmark Report:

Mo Metrics, Mo Problems? Our guide to marketing metrics

The Anti-Impersonation Company. Date: May 2 nd, ValiMail. All Rights Reserved. Confidential and Proprietary.

The data quality trends report

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

CICS insights from IT professionals revealed

Service Level Agreement for Microsoft Online Services

Correlation and Phishing

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco

Train employees to avoid inadvertent cyber security breaches

Evolution of Spear Phishing. White Paper

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Introduction. Logging in. WebMail User Guide

New Zealand National Cyber Security Centre Incident Summary

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

DIGITAL TRUST Making digital work by making digital secure

Phishing. Eugene Davis UAH Information Security Club April 11, 2013

Best Practices. Kevin Chege

European Union Agency for Network and Information Security

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

THE CLOUD SECURITY CHALLENGE:

Phishing in the Age of SaaS

Operationalize Security To Secure Your Data Perimeter

MESSAGING SECURITY GATEWAY. Solution overview

The Cost of Denial-of-Services Attacks

T he Inbox Report 2017

Security Protection

2015 Online Trust Audit & Honor Roll Review June 23, All rights reserved. Online Trust Alliance (OTA) Slide 1

Bulletproof Strategies

Using Centralized Security Reporting

TrendMicro Hosted Security. Best Practice Guide

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

2014 INTERNET COMMERCE CASE STUDY. The Battle Against Phishing and Fraudulent s. 100 S. Ellsworth Ave 4th Floor San Mateo, CA

CyberArk Privileged Threat Analytics

Building a Resilient Security Posture for Effective Breach Prevention

DIGITAL TRANSFORMATION IN FINANCIAL SERVICES

As Enterprise Mobility Usage Escalates, So Does Security Risk

CIS Controls Measures and Metrics for Version 7

Overview of Akamai s Personal Data Processing Activities and Role

Past Performance Evaluation Report (PPE) Ordering Instructions and Frequently Asked Questions Table of Contents

How to recognize phishing s

Trends in Next Generation Data Center Infrastructure. Summary Results January 2018

Enhancing Security With SQL Server How to balance the risks and rewards of using big data

Top 10 Deliverability Best Practices. #ActOnSW

Security Using Digital Signatures & Encryption

Transcription:

DMARC ADOPTION AMONG e-retailers Q1 2018 Almost 90% of Top US and EU e-retailer Domains Fail to Protect Consumers from Phishing Attacks Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

TABLE OF CONTENTS 3 5 6 9 12 15 17 19 21 21 INTRODUCTION RESEARCH OVERVIEW AGGREGATED VIEW: e-retailers (US AND EU) TOP US e-retailers TOP EU e-retailers TAKEAWAYS TOP 6 RECOMMENDATIONS FOR PROTECTING RETAIL EMAIL PROGRAMS APPENDIX ABOUT THE AUTHOR ABOUT 250ok DMARC Adoption Among e-retailers, Q1 2018 2

INTRODUCTION As consumers preference for online product research and shopping in most merchant categories continues to grow, retailers reliance on the email channel to provide an optimal customer experience increases. According to a 2017 survey by Campaign Monitor, that s exactly the way consumers want it. The overwhelming majority of respondents (66%) preferred retailers communicate with them by email, followed by direct mail (26%), mobile apps (25%), social media (23%), and push notifications (15%). Beyond the promotional messages retailers send to subscribers that drive engagement and revenue, the retail experience now depends on emails regarding purchase receipts, shipping information, customer service issues, password resets, and other key communications. Keeping pace with the online retail growth are cyber attacks targeting brands and their customers. A 2017 study from the Anti-Phishing Working Group reported that an average of 443 brands per month were targeted for phishing attacks in the first half of 2017, up from 413 per month during the same period in the previous year. These attacks are a threat to brand trust as 91% of all cyber attacks begin with a phishing email. Although most of today s consumers are aware of phishing attacks, two in five US consumers have fallen victim to an online phishing attack, according to a 2017 Cyber Monday phishing survey by DomainTools. How do phishing attacks that spoof retailers impact consumer trust in their brand? A study from Cloudmark revealed that 42% of consumers are less likely to do business with a company following receipt of a suspicious messaging purporting to be from that brand. In a survey of French consumers, 90% of respondents stated that they either somewhat or completely distrusted emails coming from brands. DMARC Adoption Among e-retailers, Q1 2018 3

INTRODUCTION What can retailers do protect their brand trust with consumers? Deploying a DMARC policy is the first step to protecting consumers, employees, and their brand from phishing attacks. DMARC, or Domain-based Message Authentication, Reporting and Conformance, is an email-validation system designed to detect and prevent email spoofing. By identifying and suppressing malicious mail impersonating your brand, some retailers report a correlating double-digit boost in marketing email opens. In this study, 250ok, a leader in advanced email analytics, analyzed top retail-operated domains (e.g., www.brand.com) in the United States (US) and European Union (EU) to determine the current DMARC-activation levels for top retailers. The study concludes with insights, recommendations, and the offer for all businesses to use 250ok DMARC software for free in 2018*. *Terms and conditions apply DMARC Adoption Among e-retailers, Q1 2018 4

RESEARCH OVERVIEW On January 9, 2018, 250ok performed an analysis of top level (root) domains actively operated by the top 1,000 US online retailers and top 500 EU online retailers by revenue for the minimum acceptable threshold of SPF and DMARC authentication. These particular authentication standards were chosen as the minimum acceptable threshold because they require no additional technology changes other than a DNS text record to be implemented. This study represents a total of 1,500 retailers and the 3,033 root domains associated with those retailers. It is worth noting that a meaningful number of retailers likely use a subdomain for some of their messaging (e.g., 250ok. com is a root domain; pages.250ok.com is a subdomain). However, leaving the root domain unauthenticated is an open invitation for spoofing, phishing, and mail forgery. While we do believe Domain Keys Identified Mail (DKIM) is a very important and highly recommended step when deploying DMARC, we purposefully avoided DKIM analysis during this study as the presence of the selector value, the DNS records, for these domains was not readily available to 250ok at the time of review. The retailer revenue data and company rankings were collected from the calendar year of 2016. DMARC Adoption Among e-retailers, Q1 2018 5

AGGREGATED VIEW: e-retailers (US AND EU) Holistic view of email authentication Only 11.3% of root domains reviewed had both an SPF record that is properly formatted and a base-level DMARC record of p=none or greater, the recommended minimum protocol for email programs as defined by 250ok. This result means that nearly 90% of retailer root domains are unnecessarily vulnerable to brand spoofing and phishing attacks on consumers and employees. 12.2% 11.3% FIGURE 1 Authentication Breakdown by US and EU e-retailers Legend n=1,500 companies/3,033 domains 19.9% 56.6% spf dmarc both no authentication One insight was the meaningful amount of partial work completed by retailers. Our study found 56.6% of root domains utilized SPF but failed to implement DMARC. In contrast, 12.2% of root domains had a DMARC record deployed but lacked a valid SPF record. DMARC Adoption Among e-retailers, Q1 2018 6

AGGREGATED VIEW: e-retailers (US AND EU) DMARC Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email-validation system designed to detect and prevent email spoofing. DMARC s power is derived from the control of a domain owner to request that certain actions are applied (e.g., none, quarantine, or reject) by the recipient domain when there is a failed policy test in both the SPF and the DKIM records associated with the message. Of the 3,033 root domains reviewed in this study, 84.2% had no DMARC policy in place. The most effective and strictest DMARC policy, also known as a reject policy (p=reject), was published for only 1.3% of US and EU domains. Achieving a reject policy is the October 2018 requirement for US federal agencies based on a directive from the US Department of Homeland Security, and is the same policy retailers should achieve for all of their domains. FIGURE 2 DMARC Adoption by US and EU e-retailers 1.3% 2.3% 12.1% 84.2% Legend n=1,500 companies/3,033 domains no policy reject quarantine none DMARC Adoption Among e-retailers, Q1 2018 7

AGGREGATED VIEW: e-retailers (US AND EU) SPF Sender Policy Framework (SPF) is a key authentication technology that domain owners should be using to publish the approved sources of email for their brands. The absence of these records allows for the potential abuse of these domains, where spam, phishing, or scam emails can be sent as the retailers domain to their subscriber base in an attempt to defraud the user or access sensitive information of the targeted user. Of the 3,033 root domains studied, 65.9% of all domains met our recommendation of a -all or ~all record, while other domains had no record (21.7%), bad formatting (6.2%), or were authenticating all messages (0.2%). Approximately 6% of domains were in testing mode. 21.7% 0.2% 28.6% FIGURE 3 SPF Adoption by US and EU e-retailers Legend n=1,500 companies/3,033 domains 6.2% -all good; applying a strict SPF policy ~all good; choosing to be flexible 6%?all neutral; testing must be temporary bad format bad; trying but failing none worst; doing nothing meaningful 37.3% +all worst; doing nothing meaningful *See Appendix for more about SPF and DMARC policy settings DMARC Adoption Among e-retailers, Q1 2018 8

TOP US e-retailers Holistic view of email authentication For US-focused retailers, only 11.2% of root domains reviewed had both an SPF record that is properly formatted and a base-level DMARC record of p=none or greater. 12.3% 11.2% FIGURE 4 Authentication Breakdown by US e-retailers Legend n=1,000 companies/2,017 domains 19.1% 57.4% spf dmarc both no authentication DMARC Adoption Among e-retailers, Q1 2018 9

TOP US e-retailers DMARC From a DMARC perspective, US-focused retailers use of DMARC did not vary much from their counterparts across the Atlantic Ocean for no policy (84.1%), None policy (12.4%), Quarantine policy (2.2%), and a Reject policy (1.2%). 1.2% 2.2% 12.4% 84.1% FIGURE 5 DMARC Adoption by US e-retailers Legend n=1,000 companies/2,017 domains no policy reject quarantine none DMARC Adoption Among e-retailers, Q1 2018 10

TOP US e-retailers SPF From the 2,017 root domains studied for US retailers, 64.9% of root domains met our recommendation of a -all or ~all record, while other domains had no record (19.1%), bad formatting (9.1%), or were authenticating all messages (0.1%). Approximately 6.8% of domains were in testing mode. 19.1% 0.1% 27.9% FIGURE 6 SPF Adoption by US e-retailers Legend n=1,000 companies/2,017 domains 9.1% -all good; applying a strict SPF policy ~all good; choosing to be flexible 6.8%?all neutral; testing must be temporary bad format bad; trying but failing 37% none worst; doing nothing meaningful +all worst; doing nothing meaningful Notables: 9.1% of the domains surveyed failed SPF validation for having more than 10 DNS lookups the maximum number allowed in their domain record 3.8% of domains continued to utilize depreciated formatting with the ptr record 2.3% of domains had poor formatting in their SPF records which could cause authentication issues and false positives 19.1% of the domains surveyed had no record, even domains that do not send mail should have a record like spfv=1 -all 6.8% of domains used a?all record, indicating a neutral policy 0.1% of published records used a +all, which is similar to not having a record at all *See Appendix for more about SPF and DMARC policy settings DMARC Adoption Among e-retailers, Q1 2018 11

TOP EU e-retailers Holistic view of email authentication For EU retailers, 11.4% of root domains reviewed had both an SPF record that is properly formatted and a base-level DMARC record of p=none or greater. 12% 11.4% FIGURE 7 Authentication Breakdown by EU e-retailers Legend n=500 companies/1,016 domains 21.6% 55% spf dmarc both no authentication DMARC Adoption Among e-retailers, Q1 2018 12

TOP EU e-retailers DMARC EU-focused retailers use of DMARC fell within one-percentage point of US retailers when it came to no policy (84.4%), None policy (11.5%), Quarantine policy (2.5%), and a Reject policy (1.6%). 1.6% 2.5% 11.5% FIGURE 8 DMARC Adoption by EU e-retailers Legend n=500 companies/1,016 domains 84.4% no policy reject quarantine none DMARC Adoption Among e-retailers, Q1 2018 13

TOP EU e-retailers SPF Of the 1,016 root domains studied for EU retailers, 63.4% of root domains met our recommendation of a -all or ~all record, while other domains had no record (25.3%), bad formatting (6.8%), or were authenticating all messages (0.3%). Approximately 4.2% of domains were in testing mode. More than a quarter of top EU retailer root domains had no SPF record in place. 0.3% 25.3% 28% FIGURE 9 SPF Adoption by EU e-retailers Legend n=500 companies/1,016 domains -all good; applying a strict SPF policy 6.8% 4.2% 35.4% ~all good; choosing to be flexible?all none worst; doing nothing meaningful +all neutral; testing must be temporary bad format bad; trying but failing worst; doing nothing meaningful Notables: 6.8% of the domains surveyed failed SPF validation for having more than 10 DNS lookups the maximum number allowed in their domain record 5.3% of domains continue to utilize depreciated formatting with the ptr record 25.3% of the domains surveyed had no record, even domains that do not send mail should have a record like spfv=1 -all 4.2% of domains used a?all record, indicating a neutral policy 0.3% of published records used a +all, which is similar to not having a record at all *See Appendix for more about SPF and DMARC policy settings DMARC Adoption Among e-retailers, Q1 2018 14

TAKEAWAYS 250ok s January 2018 study of top e-retailers in the US and EU revealed that the majority of brands are currently using some level of email authentication on their domains; however, too many are not consistent in their approach across all of the domains they control. Only 11.2% of top US retailer and 11.4% of top EU retailer domains meet our recommended minimum protocol for the email channel. By failing to publish basic authentication records like SPF and a DMARC record (p=none) for all of the domains they operate, retailers are blind to the potential abuse of their brands domain names and leave themselves and consumers unnecessarily exposed to phishing attacks that damage brand trust. Examples of email authentication challenges among top retailers: One of the largest online retailers in the world published SPF records for all 26 of their domains, but only published DMARC records for 12 of their 26 domestic and international brand domains. A large online gift retailer operating 20 branded domains only utilizes DMARC for eight of them, and only five of their domains published SPF records. Additionally, only three of their domains published both SPF and DMARC records, which is the recommended approach. A well-known pharmaceutical retailer published SPF for all seven of its domains but failed to publish DMARC records for any domain. DMARC Adoption Among e-retailers, Q1 2018 15

TAKEAWAYS An office supply retailer had one domain with 46 DNS lookups, that is a collection of includes for various vendors and third-party tools that can be addressed by providing subdomains to these various resources. An EU sports apparel retailer had 74 DNS lookups in their SPF records, which is more than seven times the allowable amount. The broken SPF record was invalid due to an include lookup for a domain that no longer exists. DMARC Adoption Among e-retailers, Q1 2018 16

TOP 6 RECOMMENDATIONS FOR PROTECTING RETAIL EMAIL PROGRAMS Properly setting-up email authentication and deploying a DMARC policy on all actively operated domains are mandatory tasks for e-retailers that want to protect their brand, customers, and employees from phishing attacks, which erode brand trust. Recommendations: 1 Implement both SPF and DKIM for all domains; however, if DKIM is further out on your roadmap, SPF is an ideal place to begin. For SPF we recommend -all or ~all, and strongly advise against the use of +all. 2 Publish a DMARC record for all domains, whether you send mail from them or not. Deploying a DMARC None policy (p=none) is a perfectly fine starting point. It s a great step to get used to the DMARC data and begin the process of evaluating the length and complexity of your DMARC journey. 3 Find a DMARC software solution that will help you quickly interpret the large amounts of DMARC data that you will receive and guide you through the process of getting to a Reject policy for your domains responsibly. DMARC Adoption Among e-retailers, Q1 2018 17

TOP 6 RECOMMENDATIONS FOR PROTECTING RETAIL EMAIL PROGRAMS 4 If you do not have email authentication expertise or resources that can project manage the process of getting to Reject for your domains, engage with a consultant that can guide you through the process and expedite your timeline to achieving a Reject policy for your domains. 5 For domains non-sending and defensively registered domains, publish a DMARC with Reject policy. It is a quick win to start protecting your brand by locking down these assets that should never be sending mail. 6 Now that you are seeing reporting on all of your domains and you have expertise overseeing the project, build your DMARC plan. Responsibly move to a quarantine policy (p=quarantine) and, eventually, a reject policy (p=reject). The key here is responsibly. Different businesses will have different journeys. In many cases, top-level (root) domains have a complex ecosystem of internal systems and third parties that use the domain, which impacts the timeline for deploying a DMARC Reject policy responsibly. For example, in a recent 250ok engagement with a Fortune 500 Retailer, the responsible journey was a 12-month timeline to take their critical domains from None to Reject with confidence that legitimate emails would not be negatively impacted. In an effort to support the protection of consumers and the email programs of businesses around the world, 250ok recently announced a promotional offer for free usage of 250ok DMARC software in 2018 for all new customers that sign up before the end of February 2018*. For more information on how 250ok DMARC software and services can help you responsibly deploy DMARC on your domains, CONTACT US. *Terms and conditions apply DMARC Adoption Among e-retailers, Q1 2018 18

APPENDIX Domain-based Message Authentication, Reporting & Conformance (DMARC) DMARC is an email-validation system designed to detect and prevent email spoofing. By deploying a DMARC policy, a domain owner can request a policy be applied to emails utilizing their branded domains. The actions associated with these policies are separated into three distinct classifications; p=none ( testing or no policy ), p=quarantine (requesting mail be placed in a spam or junk folder if authentication fails), and p=reject (a fail policy requesting mail not be accepted should authentication fail). Source: Wikipedia Domain Keys Identified Mail (DKIM) DKIM lets an organization take responsibility for a message that is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. DKIM attaches a new domain name identifier to a message and uses cryptographic techniques to validate authorization for its presence. The identifier is independent of any other identifier in the message, such as the author s From: field. Source: dkim.org Email Authentication Email authentication, or validation, is a collection of techniques aimed at equipping messages of the email transport system with verifiable information about their origin. Source: Wikipedia DMARC Adoption Among e-retailers, Q1 2018 19

APPENDIX Sender Policy Framework (SPF) SPF is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain s administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged from addresses, so publishing and checking SPF records can be considered anti-spam techniques. Source: Wikipedia When crafting an SPF record, the domain owner needs to decide on how strict these policy decisions will be. Besides having no record at all, here are the options: The most stringent of the policies -all (Fail) requests that messages that are sent from networks outside of the approved records be treated as unapproved by the recipient domain. A ~all (Soft Fail) indicates that the domain owner is confident of their record, but there could be some external forwarding that could break the policy. Utilizing a?all (Neutral Result) typically indicates that the domain is in a testing period and is asking recipient domain to ignore the records. Domains should not stay in a?all status for long, as the record means nothing is being done to authenticate messages. A +all (PASS Everything) means authenticate everything, which is a dangerous position to hold. DMARC Adoption Among e-retailers, Q1 2018 20

ABOUT Matthew Vernhout (CIPP/C) Director of Privacy, 250ok Matthew is the Director of Privacy at 250ok and a Certified International Privacy Professional (Canada) with more than 17 years of experience in email marketing. In addition to regularly contributing to email-related news articles, he has contributed to several benchmark publications, including The Marketer s Guide to Successful Email Delivery, The eec s Global Email Marketing Compliance Guide, and The Impact of CASL on Email Marketing, among others. Matthew is active in various associations, including serving as director at large of the Coalition Against Unsolicited Commercial Email (CAUCE), The Email Experience Council s Advocacy Subcommittee Chair and Sr. Administrator of the Email Roundtable. 250ok focuses on advanced email analytics, insight and deliverability technology to power a large and growing number of enterprise email programs ranging from clients like Adobe, Marketo, and Furniture Row who depend on 250ok to cut through big data noise and provide actionable, real-time analytics to maximize email performance. For more information, visit 250ok.com. DMARC Adoption Among e-retailers, Q1 2018 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback