By Shehzad Mirza
Since June 2016, the Global Cyber Alliance (GCA) has been working to accelerate the adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) through advocacy, campaigns to drive deployment, and by providing a set of tools. GCA has also measured the economic impact of DMARC, which is considered the industry standard for email authentication combating email impersonation. The result of a domain not implementing any form of DMARC policy is exposing its recipients to possible phishing attacks; unsurprisingly, 91% of all cyber-attacks begin with a phishing email.
On September 9th, 2019, GCA started the DMARC Bootcamp. The purpose of the bootcamp was to provide organizations with enough information to be able to understand DMARC and the associated parts: authentication, reporting, and conformance. We broke the bootcamp into six weeks in which we started with the basics, each week getting more technical and detailed before ultimately providing guidance to the participants to reach the first DMARC policy level of “none.” However, we aimed to make sure participants had enough information to continue on with the DMARC process and ideally move to the highest DMARC policy level of “reject.”
Every step of the way, GCA assisted with resources and guidance, including a webinar or demonstration once a week. The agenda and resources can be found here: https://dmarc.globalcyberalliance.org/dmarc-bootcamp/
Overall, we had more than 1,800 people register from 1,297 organizations across 55 countries.
(Figure 1 – DMARC Bootcamp Participation)
Out of the 1,800 plus registrants, we had 965 people attend the webinars, with the first session drawing the highest attendance.
We performed a scan of domains at the beginning of the bootcamp (based on the emails of the registrants) and excluded all consumer based accounts (gmail, hotmail, yahoo, etc.). Based on our initial scans:
- 766 organizations had no DMARC policy
- 370 organizations were set to p=none, which is the “monitor only” mode for DMARC (no filtering but used for making adjustments)
- 77 were set to p=quarantine (DMARC enforcement which puts fraudulent messages in spam/junk)
- 72 were set to p=reject (DMARC enforcement which drops fraudulent messages)
- 12 organizations had set up a DMARC policy but had errors with the policy
Throughout the six weeks, we saw organizations start to implement DMARC and make adjustments to their DMARC policy. On average, 12 to 15 organizations implemented DMARC each week.
By the end of the bootcamp we saw 90 organizations implement DMARC, with domains located across 11 countries. Seven jumped right to p=reject, eight to p=quarantine, and 75 to p=none. Initially there were 12 organizations that had errors with the policy. The main issue was that the p tag was located towards the end of the policy rather than having the p tag set as the second tag. We reached out to each organization with this information. Two organizations have made the adjustment so far. We will continue to reach out to help the remaining organizations.
Another 23 domains had a different kind of error. These were domains with a DMARC policy that did not have reporting enabled, which is a problem especially when the DMARC policy is set to “none.” The purpose of level “none” is simply to enable reporting and review the reports that are being generated; it does not do any filtering or actually enforce DMARC. The DMARC reports are what provide you with the information necessary to determine when to change your policy to “quarantine” or “reject.” Just having a policy of “none,” with no reporting enabled, does not protect your domain or brand nor does it prevent the use of your domain in phishing campaigns.
Overall, the GCA DMARC Bootcamp allowed for many organizations to implement DMARC or obtain the knowledge to get started with making a plan to implement DMARC. According to our data, 75 organizations were able to get to a policy level of “none” within one to six weeks. This shows that getting started is relatively easy. It is more challenging to move to “quarantine” or “reject,” because it may take time to review the reports and make the appropriate adjustments to the authentication mechanisms used by DMARC.
To all bootcampers and non-bootcampers, even though the bootcamp has finished, it doesn’t mean that you should stop your progress. If you haven’t started, then start by implementing a policy of “none.” If you are at “none,” don’t lose your momentum! Keep moving forward, review those reports, and get to a higher enforcement level of DMARC. GCA is still here to help and provide guidance on DMARC at any level. Please do not hesitate to reach out to us at email@example.com.