{"id":7242,"date":"2025-02-07T11:00:04","date_gmt":"2025-02-07T17:00:04","guid":{"rendered":"https:\/\/www.darkreading.com\/remote-workforce\/google-dmarc-push-email-security-challenges"},"modified":"2025-02-07T11:00:04","modified_gmt":"2025-02-07T17:00:04","slug":"googles-dmarc-push-pays-off-but-email-security-challenges-remain","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/02\/07\/googles-dmarc-push-pays-off-but-email-security-challenges-remain\/","title":{"rendered":"Google’s DMARC Push Pays Off, but Email Security Challenges Remain"},"content":{"rendered":"
<\/a><\/div>\n

A year after Google and Yahoo forced bulk email senders to implement the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard, the rate of the adoption of DMARC among domains has doubled, although many of the same email threats continue to successfully deliver payloads or redirect unwary users to phishing sites.<\/span><\/p>\n

The increase in adoption started in February 2024, when Google and Yahoo started requiring bulk email senders \u2014 defined as any company sending more than 5,000 email messages daily \u2014 <\/span>to use DMARC<\/a><\/span>. The email authentication standard uses two authentication specifications \u2014 Sender Policy Framework (SPF) and DomainsKeys Identified Mail (DKIM) \u2014 to confirm that an email comes from an authorized email server and on behalf of the purported sender. The technology makes it much more difficult to spoof email from a legitimate company or brand.<\/span><\/p>\n

In the past year, adoption has increased by about 2.3 million domains, but that still leaves about 87% of domains without a DMARC record, according to <\/span>data published by cyber-resilience firm Red Sift<\/a><\/span> on Feb 5. Adoption is also uneven, with organizations in Austria, Japan, and Indonesia seeing some of the highest growth and publicly traded companies making the most significant gains.<\/span><\/p>\n

Related:<\/span>Abandoned AWS Cloud Storage: A Major Cyberattack Vector<\/a><\/p>\n

While doubling the adoption rate of DMARC is a significant success, the private sector needs to do better, says Sean Costigan, managing director of resilience strategy at Red Sift.<\/span><\/p>\n

“DMARC is considered an indicator of cyber maturity in many sectors, and we are still in the early days \u2014 healthcare, for example, is struggling to surpass 40% to 50% adoption,” he says, adding that “widely, properly managed DMARC adoption will reduce spoofing, phishing and other forms of cybercrime.”<\/span><\/p>\n

\"Chart:<\/p>\n

Source: Red Sift<\/p>\n<\/div>\n

Google, for example, has seen a significant reduction in questionable email. In 2024, Gmail users saw 265 billion fewer unauthenticated emails, or about 65% less. During the 2024 holidays, a season that typically sees a massive spike in phishing attacks, users <\/span>encountered 35% fewer scams<\/a><\/span>, says Neil Kumaran, group product manager at Google.<\/span><\/p>\n

“We think these improvements represent a huge boost in the health of the email ecosystem overall,” he says. “We are actually seeing the industry embrace these requirements, seeing how important they are to increase the healthy ecosystem for everybody.”<\/span><\/p>\n

DMARC Adoption Likely to Accelerate<\/h2>\n

Large email senders are not the only groups quickening the pace of DMARC adoption. The latest Payment Card Industry Data Security Standard (PCI DSS) version 4.0 requires DMARC for all organizations that handle credit card information, while the European Union’s Digital Operational Resilience Act (DORA) makes DMARC a necessity for its ability to report on and block email impersonation, Red Sift’s Costigan says.<\/span><\/p>\n

Related:<\/span>Name That Toon: Incentives<\/a><\/p>\n

“Mandatory regulations and legislation often serve as the tipping point for most organizations,” he says. “Failures to do reasonable, proactive cybersecurity \u2014 of which email security and DMARC is obviously a part \u2014 are likely to meet with costly regulatory actions and the prospect of class action lawsuits.”<\/span><\/p>\n

Overall, the authentication specification is working as intended, which explains its arguably rapid adoption, says Roger Grimes, a data-driven-defense evangelist at security awareness and training firm KnowBe4. Other cybersecurity standards, such as DNSSEC and IPSEC, have been around longer, but DMARC adoption has outpaced them, he maintains.<\/span><\/p>\n

“DMARC stands alone as the singular success as the most widely implemented cybersecurity standard introduced in the last decade,” Grimes says.<\/span><\/p>\n

Subdomain Attacks Exploit Gaps<\/h2>\n

Yet that does not mean that threats have diminished. Attackers have adapted, Grimes says. Typically, attackers will just use lookalike domains \u2014 or use creative punctuation to create confusion \u2014 and fool the end user while still sending messages from an authenticated domain.<\/span><\/p>\n

Related:<\/span>Name That Toon: Meeting of Minds<\/a><\/p>\n

“Since the creation and wide-scale adoption of DMARC, the percentage and number of phishing emails claiming to be from a particular legitimate domain are significantly less, perhaps just a few percent of what they used to be,” Grimes says. “Unfortunately, phishers just created new illegitimate domains, often with lookalike names, that they then applied DMARC on so that the new, illegitimate domains passed DMARC inspection.”<\/span><\/p>\n

One technique used to dodge DMARC is “subdomail,” where attackers seek out SPF records that include unregistered domains, and then take control of the orphaned domains as a way to conduct massive spamming campaigns. In one case, an SPF record for <\/span>msnmarthastewartsweeps.com<\/span><\/span> “included” two domains, allowing any authorized mail servers listed in those domain records to send authenticated email. In the Sender Policy Framework, the “include” keyword allows on domain to specify that those domains’ lists of authenticated email servers should be trusted. For <\/span>msnmarthastewartsweeps.com<\/span><\/span>, that resulted in <\/span>nearly 18,000 domains being authorized to send email<\/a><\/span> on behalf of the domain.<\/span><\/p>\n

Because the email messages make it past DMARC checks, they are more likely to successfully impersonate other companies, says Red Sift’s Costigan.<\/span><\/p>\n

“SubdoMailing exploits gaps in DMARC safeguards, allowing attackers to send emails from subdomains that pass both SPF and DMARC checks,” he says. “These messages appear legitimate and are incredibly deceptive.”<\/span><\/p>\n

BIMI on Deck for Email Security<\/h2>\n

Still, companies gain much more visibility into their email by using DMARC, as the standard includes a reporting function that allows companies \u2014 or service providers on their behalf \u2014 to track email failures. Thus, companies should rapidly <\/span>move from “none” to “quarantine” to “reject” as their policy<\/a><\/span>, experts say.<\/span><\/p>\n

In addition, companies should also look to take the next step, moving to Brand Indicators for Message Identification or BIMI, which allows companies to present a logo to email recipients. BIMI <\/span>requires strict DMARC<\/a><\/span>, however, and only about a third of domains currently comply, according to Red Sift’s data.<\/span><\/p>\n

While none of these technologies solve the problem of malicious emails, they all give companies and their email service providers more reliable signals to use to filter out unwanted messages and potential attacks, says Google’s Kumaran. DMARC adoption does not boil down to “authenticated mail is good, and unauthenticated email is bad,” he says.<\/span><\/p>\n

“The idea is that authentication gives you confidence of the source of the message, and then you can start to do a better job of classification and actually providing protections to users,” Kumaran says. “So I think it’s a very desirable behavior if 100% of attacks are actually authenticated, because it makes the job of protecting people \u2014 and gives those the folks working in defending \u2014 stronger signals on which to operate.”<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A year after Google and Yahoo forced bulk email senders<\/p>\n","protected":false},"author":12,"featured_media":7243,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-7242","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/googles-dmarc-push-pays-off-but-email-security-challenges-remain.jpg?fit=1600%2C900&ssl=1",1600,900,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/googles-dmarc-push-pays-off-but-email-security-challenges-remain.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/googles-dmarc-push-pays-off-but-email-security-challenges-remain.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/googles-dmarc-push-pays-off-but-email-security-challenges-remain.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/googles-dmarc-push-pays-off-but-email-security-challenges-remain.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/googles-dmarc-push-pays-off-but-email-security-challenges-remain.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/googles-dmarc-push-pays-off-but-email-security-challenges-remain.jpg?fit=1600%2C900&ssl=1",1600,900,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/googles-dmarc-push-pays-off-but-email-security-challenges-remain.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/googles-dmarc-push-pays-off-but-email-security-challenges-remain.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/googles-dmarc-push-pays-off-but-email-security-challenges-remain.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/googles-dmarc-push-pays-off-but-email-security-challenges-remain.jpg?fit=1600%2C900&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7242","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7242"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7242\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/7243"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}