Why you need to use DMARC and SPF on mail servers to prevent phishing and fraud

Open-source, industry standard specifications are available to protect your business, but real-world deployment is still lower than optimal.

Hackers impersonate these 10 brands the most in phishing attacks Phishers often spoof major tech brands in their efforts to gain payments from individuals and businesses, according to a Vade Secure report.

For nearly two decades, phishing has been a clear and present danger to businesses, as the potential risk of employees inadvertently divulging account credentials—putting sensitive information in the hands of criminals—can be a costly disaster to clean up. The original specifications for email were written without particular regard to security, making it possible—though inadvisable—to deploy a mail server without any security protection at all.

Fortunately, the use of email authentication is growing across industries, with 80% of all federal domains publishing a DMARC record, a significant increase from 50% a year ago, according to Valimail's Email Fraud Landscape Q4 2018 report, published Friday. However, only Fortune 500 companies and large US technology firms have an adoption rate of 50% or higher—the IT departments of both are likely well-equipped to handle that task, with technology firms placing a premium on security, as technology is their core competency to begin with.

SEE: IT Communication Plan: Raise security awareness with regular emails (Tech Pro Research)

The uptake for Fortune 500 companies has also been suitably dramatic, with just 28% using DMARC in Q4 2017, nearly doubling in the last year.

The risks of not securing email servers is growing, with Valimail pointing to an FBI study indicating that "fake emails were a key driver in the 60 percent jump in business email compromise (BEC) losses in 2018." Open, industry-standard mail security specifications like DMARC and SPF can minimize these risks.

"These attacks are absolutely preventable. We therefore applaud those organizations that have implemented email authentication based on open standards such as DMARC — which, when properly configured, can stop the most convincing fake emails dead in their tracks. We urge all domain owners and security leaders to adopt these standards and configure them correctly and completely, as quickly as possible, to ensure their own employees cannot be spoofed by cybercriminals," Alexander García-Tobar, CEO and co-founder of Valimail, said in a press release.

For more on how to protect your business, check out TechRepublic's cheat sheet to phishing and spearphishing, as well as the 10 most impersonated brands.

The big takeaways for tech leaders:

  • 80% of all federal domains publish a DMARC record, leading all other industries, though this is a federally mandated security measure. —Valimail, 2019
  • In the private sector, only Fortune 500 companies and large US technology firms have an adoption rate of 50% or higher. —Valimail, 2019
istock-614154064phishingalert.jpg
nevarpp, Getty Images/iStockphoto

By James Sanders

James Sanders is a staff technology writer for TechRepublic. He covers future technology, including quantum computing, AI/ML, and 5G, as well as cloud, security, open source, mobility, and the impact of globalization on the industry, with a focus on ...