Introduction
In our blog post back in January 2024, we discussed the importance of DMARC (Domain-based Message Authentication, Reporting, and Conformance) for recruitment companies, in preparation for the enhanced email security requirements from Google and Yahoo, which came into effect in February 2024,
This follow-up will highlight some of the common pitfalls businesses encounter with DMARC, particularly when third-party services promote minimal setups that lead to a false sense of security. By understanding these risks, you can steer clear of inadequate configurations. Whether you’re thinking of setting up DMARC yourself or choosing a team of professionals with extensive experience, ensuring full protection for your recruitment business is essential.
DMARC’s Growing Importance.
DMARC (Domain-based Message Authentication, Reporting & Conformance) was introduced in 2012, developed through a collaboration with major contributions from email providers like Google, Yahoo, Microsoft and AOL. Its goal was to establish a standardised email authentication protocol to combat email fraud, phishing, and spoofing.
Building on technologies like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), DMARC allows domain owners to define how their emails should be authenticated and what actions to take with messages that fail. Over time, DMARC has become a critical tool for securing email communications, particularly in industries like recruitment, where emails are a vital channel for candidate and client interactions.
2024 Policy Changes Adoption & Issues.
DMARC adoption among the top 10 million domains had an initial surge after February 2024, with over 500,000 additional domains implementing a DMARC policy, boosting the adoption rate from around 14% to 20%. This initial growth very quickly stagnated with only 25,000 domains adopting DMARC since June 2024
However, over 75% of these domains are still using the p=none
policy, which only monitors email traffic without taking any proactive action against phishing or spoofing. This leaves a significant number of businesses vulnerable to potential attacks. About 15% have adopted the intermediate p=quarantine
policy, while just 10% of domains have fully implemented the secure p=reject
policy.
This means that only 5.75% of the top 10 million domains have actually implemented a secure DMARC policy, exposing the rest to ongoing risks.
87% of Top Domains Lack Proper DMARC Security.
Why Is Secure DMARC Policy Adoption Falling Short?
A major factor contributing to the lack of secure DMARC policy adoption is the failure of third-party services to provide adequate guidance and highlight the security risks associated with a weak p=none
policy.
Many of these services encourage businesses to implement a basic p=none
policy simply to meet minimum compliance requirements, without stressing the importance of stronger protections such as p=quarantine
or p=reject
.
Their focus is to make their services as easy and as straightforward as possible, focusing on a quick setup without requiring businesses to fully understand the technical complexities of DKIM, SPF and DMARC and the implications of the records added.
This “minimal effort” approach frequently results in businesses adopting incomplete or ineffective policies, leaving them vulnerable and exposed to threats like phishing and spoofing attacks while giving a false sense of security due to meeting the basic compliance requirements.
The Risks of DMARC Verification Tools.
Adding to the confusion, many businesses use online tools to verify their DMARC setup, but here’s the issue: many of these tools don’t clearly indicate whether a domain is fully protected. They might confirm that DMARC is in place without highlighting that a p=none policy offers zero security.
This incomplete implementation often leaves recruitment agencies thinking they’re compliant, unaware that their brand is still vulnerable to phishing attacks. It’s a risky assumption, and one that can lead to costly mistakes.
Could DMARC Have Protected These Companies?
At Refari, we’ve seen the impact of incomplete email security measures firsthand. Some of our clients have been targeted by spoofed emails, affecting their recruitment businesses. In these cases, fully implementing the DMARC policies we recommended could have provided the extra protection needed to prevent such attacks. Fortunately, we’ve since worked with these clients to achieve secure DMARC policies, helping safeguard their communications and reducing the risk of future spoofing attempts.
These attacks not only harm a company’s reputation but can also result in significant financial losses for both the company and their customers or partners. Below are several cases where implementing stronger DMARC policies could have helped protect all parties involved.
RSA Security (2011)
RSA Security experienced a serious breach caused by a spear-phishing attack. Attackers sent emails containing a malicious Excel attachment to RSA employees. Once opened, the malware installed a backdoor, allowing attackers to infiltrate the network and steal sensitive data, including critical information related to RSA’s SecurID tokens, which had a far-reaching impact on cybersecurity across numerous organizations.
Source: NetworkWorld
Target (2013)
The massive data breach at Target, which resulted in the theft of 40 million credit and debit card accounts, began with a phishing email sent to a third-party vendor. While not solely attributed to DMARC, the lack of adequate email authentication contributed to the phishing attack’s success.
Source: US Senate
Facebook and Google (2013-2015):
Between 2013 and 2015, cybercriminals executed a $121 million business email compromise (BEC) scam targeting Facebook and Google. The attackers impersonated an Asian hardware vendor, sending fraudulent invoices and convincing employees at both tech giants to wire funds to their accounts. The scam went undetected for two years, highlighting the vulnerabilities in email-based financial processes without proper authentication.
Source: CNBC
Sony Group Pictures Entertainment (2014)
Sony Pictures fell victim to a high-profile cyberattack that involved email spoofing. The absence of DMARC and other email authentication protocols made it easier for attackers company emails and gain access to sensitive data including upcoming movies.
Source: SecureOps
Ubiquiti Networks (2015)
Ubiquiti Networks fell victim to a spear-phishing attack, leading to a $46.7 million loss. Spoofed emails from executives bypassed security, largely due to the absence of DMARC.
Source: Fortune
HMRC (2016–present)
The UK’s tax authority was a frequent target of phishing attacks. Once HMRC implemented DMARC, phishing attempts dropped by 300%, showcasing the impact of DMARC in reducing email spoofing.
The United Kingdom also introduced a requirement for all government departments to adopt DMARC with it’s policy set to p=reject
Source: UK Government & DMARC
Snapchat (2016)
Snapchat employees were targeted in a phishing attack where a scammer impersonated the CEO and tricked an employee into sharing sensitive payroll information. Proper DMARC implementation could have stopped the spoofing.
Source: TheGuardian
FACC (2016)
Austrian aerospace manufacturer FACC lost $47 million due to an email spoofing attack. A fraudulent email led an employee to transfer the funds, with DMARC absent to prevent the spoofing.
Source: Zoho
Medicare Australia (2017)
Medicare Australia faced phishing attacks where fraudulent emails tricked recipients into divulging sensitive information. DMARC could have helped prevent these emails from spoofing the Medicare domain.
Source: CareersInfoSecurity
FedEx/UPS Spoofing (2018)
Phishing campaigns targeted FedEx and UPS customers with spoofed shipment notifications, potentially compromising an unknown amount of data. These attacks were successful due to the lack of robust email authentication measures, such as DMARC, which could have prevented the spoofed emails from reaching recipients.
Norsk Hydro (2019)
Norsk Hydro was attacked by ransomware initiated through phishing emails. Stronger email authentication via DMARC could have mitigated the initial spoofing attack.
Source: LinkedIn Pulse
Toyota Subsidiary (2019)
A Toyota parts subsidiary fell victim to a sophisticated email spoofing attack. Posing as a Toyota executive, attackers sent fraudulent emails to the company’s finance department, requesting a wire transfer. This resulted in the company losing approximately $37 million, underscoring the risks of social engineering and the need for robust email authentication protocols like DMARC.
Source: Forbes
Weak DMARC Policies Being Exploited
According to a recent warning from the NSA, North Korean hackers are actively exploiting weak DMARC policies, particularly those set to p=none.
By maintaining a p=none
policy for an extended period, you’re essentially broadcasting to cybercriminals that your domain isn’t taking any proactive steps to prevent email spoofing.
This vulnerability creates an open invitation for hackers to impersonate your domain, allowing them to launch phishing attacks and other malicious activities. As demonstrated by the NSA’s findings, these weak DMARC setups can be a critical point of exploitation for advanced threat actors, putting businesses, especially those in sensitive industries like recruitment, at serious risk.
Source: BleepingComputer
Expert DMARC Implementation for Your Recruitment Website.
Refari provides a specialized DMARC implementation service, specifically designed for recruitment firms using Refari-built websites. This comprehensive solution ensures enhanced email security and authentication.
- Comprehensive Audit and Custom Implementation: We thoroughly review your email system to ensure it surpasses DMARC standards and aligns with best practices.
- Strategic Gradual Policy Escalation: Our team carefully transitions your DMARC policy from ‘None’ to ‘Reject’, to avoid disrupting legitimate emails, ensuring a smooth and secure upgrade..
- Managed Regular Report Analysis: We continuously monitor and assess reports on your behalf, identifying and resolving any email delivery challenges, ensuring your recruitment communications remain timely and uninterrupted.