Courting Trouble: Big Retailers Don't Use DMARC
By Ken Magill
Of the top 100 retailers in America, just three protect their brands from phishing using DMARC, according to a study released today by email intelligence firm Return Path.
The news comes exactly one day short of a year since the DMARC scheme was unveiled.
The news also comes as phishers are increasingly using phony receipts and shipping notices to capture people’s financial information, according to Return Path.
Dubbed Domain-based Message Authentication, Reporting and Conformance, or DMARC (dee-mark), the scheme is an extension of email authentication, where senders publish certain information, such as what IP addresses are authorized to send messages on their brand’s behalf, so the ISPs can more readily identify email coming from those brands.
Though authentication helps identify authorized senders, ISPs have struggled with how to treat unauthenticated messages. Just because they’re not authenticated doesn’t necessarily mean they’re fraudulent.
Email authentication has not reached 100 percent adoption. And many emailers who have implemented email authentication have reportedly not authenticated all of their outbound messaging.
For example, a company’s marketing messages might be authenticated while its customer service or transactional messages are not.
According to Return Path, 77 of the top 100 American retailers do not fully authenticate all of their domains, and lack a comprehensive authentication policy.
And in the apparently rare instances where companies have authenticated all of their email, there is still the difficulty of informing all the various ISPs that the authentication process for a particular brand is complete.
Most companies don’t have the relationships with ISP abuse desk employees that would be necessary for them to communicate that any unauthenticated email purporting to come from their brand is probably phony.
DMARC allows email senders to automatically tell email inbox providers when all of their servers are authenticated.
As a result, when unauthenticated email arrives at an ISP purporting to be from a company that has published a DMARC record, the ISPs can more readily identify it as phony and take appropriate action.
The DMARC specification also allows the sender to instruct the ISPs what they would like done with phony messages pretending to be from their brand, such as quarantine or block them.
But of course, the scheme can’t work if it isn’t implemented.
The three top-100 retailers that have implemented DMARC are Amazon, Apple and Netflix, according to Return Path.
“People have a long way to go with their authentication policies in protecting their brands and domains,” said Tom Sather, senior director of email research for Return Path. “That only three of the top 100 retailers are using DMARC was surprising. It’s relatively new but it’s not like it’s all that hard to set up. It’s not like there’s a high barrier to entry.”