A new survey of US college and higher education email domains has revealed less than one-in-10 institutions have implemented basic phishing and spoofing protection.
The research by email security provider, EasyDMARC, reviewed the security policies of .edu email domains, which are assigned to 1,930 US colleges and further education institutions. EasyDMARC’s research found that only 152 (7.8%) of US .edu domains have correctly implemented and configured security policies to flag, report and remove outbound phishing emails.
The survey reviewed the deployment of the Domain-based Message Authentication, Reporting and Conformance (DMARC) standard among US .edu domains. First published in 2012, the DMARC standard enables the automatic flagging and removal of receiving emails which are impersonating senders’ domains, which is a crucial way to prevent outbound phishing and spoofing attempts.
EasyDMARC’s research found that only 1,122 (58%) of US .edu domains had implemented the decade-old DMARC standard. The research also revealed an under-utilization of DMARC’s capabilities where it is deployed.
Among the US .edu domains that had implemented DMARC, 848 of them (76% of such domains) had their DMARC policies set to only monitor outgoing emails impersonating legitimate domains. A further 199 domains (18% of DMARC-using domains) only went slightly further, having set their policies to send impersonating emails to quarantine.
As a result, many DMARC implementations among US .edu domains leave users vulnerable to still receiving phishing emails. This creates a substantial risk for ransomware attacks, fraud and data breaches.
In the end, only 152 institutions (7.8% of the total and 14% of DMARC-using domains) set their DMARC to automatically reject site emails impersonating their domain.