Agari, a cyber security firm, has determined that only 39 Fortune500 companies employ a rather basic security feature that prevents email spoofing. This means that 9 out of 10 are failing in this department.
The correct way to approach this issue is to take advantage of a domain-based message authentication, reporting, and conformance policy (or DMARC for short). This is to ensure that the identity of every email sender is verified, which helps a great deal when it comes to combating phishing and spoofed emails. In the event that the system cannot recognise the sender, the message is marked as spam or rejected entirely.
Agari refrained from naming the worst offenders, but they did release a list of those companies that do have a strong policy in place.
The following companies mark all unauthenticated messages as spam:
– Time Warner
These companies go as far as rejecting emails coming from unauthenticated domains:
Patrick Peterson, executive chairman at Agari, marked the findings as unconscionable. He went on to say that phishing and other forms of digital deception are preventable, and deploying DMARC is the first step.
As alarming as it may sound, it’s not the first time someone has pointed out an absence of DMARC across different organisations. This goes far beyond private organisations; even certain government departments, such as Homeland security, are lacking one.