Successful Training Reaches More Than 950 Registrants From 50 Countries
By Shehzad Mirza
Since June 2016 the Global Cyber Alliance (GCA) has been working to accelerate the adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) through advocacy, campaigns to drive deployment, and by providing a set of tools. GCA has also measured the economic impact of DMARC, which is considered the industry standard for email authentication combating email impersonation. The result of a domain not implementing any form of DMARC policy is exposing its recipients to possible phishing attacks; unsurprisingly, 91% of all cyberattacks begin with a phishing email.
In September 2019 GCA started the Defend & Deliver: DMARC Bootcamp as part of our continuing efforts to support and promote DMARC. The purpose of the bootcamp was to provide organizations with enough information to be able to understand DMARC and its associated parts: authentication, reporting, and conformance.
Due to the success and positive feedback from attendees of the 2019 DMARC bootcamp, we decided to conduct additional bootcamps in 2020, the first of which ran from May 6th to June 3rd, and the second which ran from September 14th to October 16th. All sessions have been recorded and are freely available here: https://dmarc.globalcyberalliance.org/dmarc-bootcamp/, along with resources to help guide people on their DMARC journey.
For our most recent session, we had more than 950 people register from 614 organizations across 50 countries. Of the 950-plus registrants, we had up to 300 people attend the webinars.
Before the bootcamp started, we performed a scan of domains (based on the emails of the registrants) and excluded all consumer based accounts (gmail, hotmail, yahoo, etc.). Based on our initial scans:
- 285 domains had no DMARC policy
- 199 domains were set to p=none, which is the “monitor only” mode for DMARC (no enforcement but used for making adjustments)
- 55 were set to p=quarantine (DMARC enforcement which puts fraudulent messages in spam/junk)
- 70 were set to p=reject (DMARC enforcement which drops fraudulent messages)
- 5 domains had set up a DMARC policy but had errors with the policy (see below for more details)
Let’s focus on the 285 domains that did not have DMARC at the start of the bootcamp, as these are the ones we look to help implement DMARC during the bootcamp. By the end of the five weeks, we saw a total of 24 organizations implement DMARC (the May/June 2020 bootcamp ended with 60 domains implementing DMARC). 261 domains still did not have DMARC implemented.
Figure 1 – DMARC implementation by organizations starting with no DMARC policy
The breakdown of the 24 domains is as follows:
- 20 set to p=none
- 2 set to p=quarantine
- 2 set to p=reject
Initially there were 5 organizations that had errors with the policy. The issue with these domains was that the p tag is located at various parts of the policy rather than having the p tag set as the second tag. In order for a DMARC policy to be recognized correctly by the receiving systems, the p tag must be the second tag in the policy.
Another 18 domains had a different kind of error. These domains have a DMARC policy that does not have reporting enabled, which is a problem especially when a majority of these domains have the DMARC policy set to “none.” The purpose of level “none” is simply to enable reporting and review the reports that are being generated; it does not do any filtering or actually enforce DMARC. The DMARC reports are what provide you with the information necessary to determine when to change your policy to “quarantine” or “reject.” Just having a policy of “none,” with no reporting enabled, does not protect your domain or brand nor does it prevent the use of your domain in phishing campaigns.
There were also domains that had DMARC in place prior to the bootcamp. Some of these domains did change their policy levels during the bootcamp.
- Four domains changed their policy from “none” to “quarantine”
- Two domains change their policy from “none” to “reject”
- Two domains change their policy from “quarantine” to “reject”
- One domain dropped from “reject” to removing their policy
Overall, the GCA DMARC Bootcamp allowed for many organizations to implement DMARC or obtain the knowledge to get started with making a plan to implement DMARC. According to our data, 20 organizations were able to get to a policy level of “none” within five weeks. This shows that getting started is relatively easy. It is much more challenging to move to “quarantine” or “reject,” because it may take time to review the reports and make the appropriate adjustments to the authentication mechanisms used by DMARC.
To all bootcampers and non-bootcampers, even though the bootcamp has finished, it doesn’t mean that you should stop your progress. If you haven’t started, then start by implementing a policy of “none.” If you are at “none,” don’t lose your momentum! Keep moving forward, review those reports, and get to a higher enforcement level of DMARC. GCA is still here to help and provide guidance on DMARC at any level. Please do not hesitate to reach out to us by posting questions to our community forum or reaching out directly at firstname.lastname@example.org.
As a reminder, you can view the recorded sessions online at: https://dmarc.globalcyberalliance.org/dmarc-bootcamp/.
UPDATED Results for May/June 2020 bootcamp: A scan was run on October 19, 2020 (about six months since the last week of the bootcamp). The scan results show that 106 organizations implemented DMARC (out of 487 that started the bootcamp with no DMARC policy – 22%) – 74 at p=none, 19 at p=quarantine and 13 at p=reject.
The author, Shehzad Mirza, is the Director of Operations at the Global Cyber Alliance. You can connect with Shehzad on LinkedIn.