First Defend & Deliver DMARC Bootcamp of 2020 Comes to an End

Successful training reaches more than 1,200 registrants from 23 countries

By Shehzad Mirza

Since June 2016 the Global Cyber Alliance (GCA) has worked to accelerate the adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) through advocacy, campaigns to drive deployment, and by providing a set of tools. GCA has also measured the economic impact of DMARC, which is considered the industry standard for email authentication combating email impersonation. The result of a domain not implementing any form of DMARC policy is exposing its recipients to possible phishing attacks; unsurprisingly, 91% of all cyberattacks begin with a phishing email.

In September 2019 GCA started the Defend & Deliver: DMARC Bootcamp as part of our continuing efforts to support and promote DMARC. The purpose of the bootcamp was to provide organizations with enough information to be able to understand DMARC and its associated parts: authentication, reporting, and conformance. In that fall bootcamp, we had more than 1,800 people register from 1,297 organizations across 55 countries. By the end of the bootcamp, 90 organizations had implemented DMARC: seven at policy “reject,” eight at policy “quarantine,” and 75 at policy “none.” We are still seeing progress on those domains. As of June 8, 2020, 183 domains from the fall participants have DMARC in place, with 126 set to policy “none,” 36 set to policy “quarantine,” and 21 set to policy “reject.”

Due to the success and positive feedback from attendees of the fall DMARC bootcamp, we decided to conduct additional bootcamps in 2020 (with some slight modifications), the first of which ran from May 6 to June 3, and the next beginning the week of September 15.

Overall, we had more than 1,200 people register from 892 organizations across 23 countries for the May bootcamp. Of the 1,200-plus registrants, we had up to 650 people attend the webinars, with the first session drawing the highest attendance, and we maintained a 60% or higher attendance rate throughout the five weeks. We recorded each session and provided additional resources, which can be found here: https://dmarc.globalcyberalliance.org/dmarc-bootcamp/.

Before the bootcamp started, we performed a scan of domains (based on the emails of the registrants) and excluded all consumer based accounts (gmail, hotmail, yahoo, etc.). Based on our initial scans:

  • 487 domains had no DMARC policy
  • 252 domains were set to p=none, which is the “monitor only” mode for DMARC (no filtering but used for making adjustments)
  • 66 were set to p=quarantine (DMARC enforcement which puts fraudulent messages in spam/junk)
  • 76 were set to p=reject (DMARC enforcement which drops fraudulent messages)
  • 11 domains had set up a DMARC policy but had errors with the policy (see below for more details)

Throughout the five weeks, we saw organizations start to implement DMARC and make adjustments to their DMARC policy, with an average of 10 organizations implementing DMARC each week.

(Figure 1 – DMARC adoption across five weeks of the DMARC Bootcamp)

Let’s focus on the 487 domains that did not have DMARC at the start of the bootcamp, as these are the ones we look to help implement DMARC during the bootcamp. By the end of the five weeks, we saw a total of 60 organizations implement DMARC (the previous bootcamp ended with 90 domains implementing DMARC). 427 domains still did not have DMARC implemented.

(Figure 2 – DMARC implementation by organizations starting with no DMARC policy)

The breakdown of the 60 domains is as follows:

  • 50 set to p=none
  • 6 set to p=quarantine
  • 4 set to p=reject

Initially there were 11 organizations that had errors with the policy. The issue with these domains was that the p tag is located toward the end of the policy rather than having the p tag set as the second tag. In order for a DMARC policy to be recognized correctly by the receiving systems, the p tag must be the second tag in the policy.

Another 28 domains had a different kind of error. These domains have a DMARC policy that does not have reporting enabled, which is a problem especially when a majority of these domains have the DMARC policy set to “none.” The purpose of level “none” is simply to enable reporting and review the reports that are being generated; it does not do any filtering or actually enforce DMARC. The DMARC reports are what provide you with the information necessary to determine when to change your policy to “quarantine” or “reject.”  Just having a policy of “none,” with no reporting enabled, does not protect your domain or brand nor does it prevent the use of your domain in phishing campaigns.

There were also domains that had DMARC in place prior to the bootcamp. Some of these domains did change their policy levels during the bootcamp.

  • Eight domains changed their policy from “none” to “quarantine”
  • One domain change their policy from “none” to “reject”
  • Four domains change their policy from “quarantine” to “reject”
  • One doming dropped from “quarantine” to “none”

Overall, the GCA DMARC Bootcamp allowed for many organizations to implement DMARC or obtain the knowledge to get started with making a plan to implement DMARC. According to our data, 60 organizations were able to get to a policy level of “none” within five weeks. This shows that getting started is relatively easy. It is much more challenging to move to “quarantine” or “reject,” because it may take time to review the reports and make the appropriate adjustments to the authentication mechanisms used by DMARC.

To all bootcampers and non-bootcampers, even though the bootcamp has finished, it doesn’t mean that you should stop your progress. If you haven’t started, then start by implementing a policy of “none.” If you are at “none,” don’t lose your momentum! Keep moving forward, review those reports, and get to a higher enforcement level of DMARC. GCA is still here to help and provide guidance on DMARC at any level. Please do not hesitate to reach out to us by posting questions to our community forum or reaching out directly at gca-dmarc@globalcyberalliance.org.

As a reminder, you can view the recorded sessions online at: https://dmarc.globalcyberalliance.org/dmarc-bootcamp/.

We will also be conducting another bootcamp in September, so stay tuned to the GCA website for more details if you’re interested in signing up.

The author, Shehzad Mirza, is the Director of Operations at the Global Cyber Alliance. You can connect with Shehzad on LinkedIn.