In a study of 1 million corporate domains, only 60,000 had made any attempt at DMARC email authentication, and of those, only a quarter actually had enforcement mechanisms in place, according to a report released today by ValiMail.
DMARC -- domain-based message authentication, reporting and conformance -- is an open standard that helps secure domains against impersonation.
That protects both customers and employees from phishing emails that pretend to come from official corporate email accounts.
It doesn't protect against look-alike domain names, or emails sent from compromised corporate email accounts, but is still an important security measure.
However, DMARC can be tricky to set up, especially when companies use outside providers for marketing, human resources, payroll and other services where the vendor sends out emails on the company's behalf.
"The DMARC standards has multiple modes, and the simplest is just reports," said Peter Goldstein, CTO at ValiMail.
The domain administrator receives the reports, which aggregate the data about the IP addresses of senders using the domain names.
"But there's no enforcement," he said. "The receivers are not told to stop or block the phishing emails. The reporting, by itself, doesn't protect the customer, or the employee, or the business partner."
Companies can also choose to have the phishing emails rejected or automatically sent to the spam folder.
"But 75 percent of those who try to do DMARC authentication don't get to enforcement," he said.
Larger companies are more likely to use DMARC. Of the Nasdaq 100, 43 percent attempt authentication, as do 25 percent of the FTSE 100, 24 percent of the S&P 500, and 16 percent of the Fortune 1000.
"You do see more DMARC use among the bigger companies, but you still see a small rate of success," said Goldstein.
Of the Nasdaq 100 companies that had DMARC in place, 72 percent failed to enforce it, as did 80 percent of the FTS 100, 74 percent of the S&P 500, and 77 percent of the Fortune 1000.
Adoption is increasing, he said, but in addition to the problem of third-party vendors, there are also other issues involved.
The standard has only existed in its present form since 2012, making it relatively young, as standards go. Support in email clients, where the user is notified in some fashion that a particular email is dangerous, has been inconsistent. And there's been a lack of good information about how to implement DMARC.
"Many companies look at DMARC, see that it's an open standard and say, 'I can do this myself,'" said Goldstein, whose company offers a DMARC management service. "But it's frankly pretty tricky."
Some vendors are starting to step up -- or are at least planning to do so.
Both Yahoo and AOL began enforcing DMARC for their consumer email services two years ago, Goldstein said. Google and Microsoft have been discussing implementing DMARC rejection for the consumer side of their Gmail and Office 365 platforms.
And all four companies use DMARC enforcement internally, for their own corporate communications.
"They clearly value it," he said.
On the enterprise side, Google Apps, Office 365 and Yahoo Business support DMARC, where the domain owner can set up their DNS records to push unauthorized emails into enforcement.
"But while they make it easy to authenticate emails that are coming from them, they don't necessarily tell you how to authenticate marketing systems or the other systems like HR, payroll, and accounting that may also be sending email on your behalf," he said.
Neither Google nor Microsoft have publicly announced any plans to help move their business clients to full DMARC enforcement, he said.
"They encourage it, but haven't offered much in the form of services to get there," he said.