You know that email you once received from a friend or colleague that clearly wasn’t sent by him or her? More than 90 percent [1] of all cyberattacks begin with this kind of phishing email. Unfortunately, higher education is no stranger to phishing. In March 2017, Coastal Carolina University revealed [2] it lost more than $1M to a phishing scam. The attackers succeeded in the theft by masquerading as a company with a contractual relationship with the university. In an official-looking email, the phony sender requested changes to the university’s bank information. An employee complied, and the rest is history.
Phishing and spoofing attacks against students and staff are most likely when these three items are not properly in place:
- a Sender Policy Framework (SPF), which is an email-validation system that detects spoofing attempts. (Spoofing is when a third party disguises itself as a particular sender and uses a counterfeit email address.)
- DomainKeys Identified Mail (DKIM) and/or Domain-based Message Authentication: DKIM uses an encrypted token pair to validate message integrity during sending and delivery.
- a Reporting and Conformance (DMARC) policy, which is considered the industry standard for email policy and reporting tools that help to prevent such attacks.
250ok recently analyzed the 3,164 top-level .edu domains controlled by accredited U.S. colleges and universities. The scope of this study focused on DMARC adoption and found that almost 90 percent (3,211) of top-level .edu domains in the U.S. lack the most basic DMARC policy, which leaves students, parents, alumni, and employees at risk.
It is worth noting a meaningful number of institutions likely use a subdomain for some of their messaging (e.g., “college.edu” is a root domain; “mail.college.edu” is a subdomain). However, leaving the root domain unauthenticated is an open invitation for spoofing, phishing, and mail forgery. A published record at the root domain will protect the entirety of the domain, including any potential subdomain as they will automatically inherit the DMARC policy of the root domain.
In 2017, the U.S. Department of Homeland Security announced Binding Operational Directive 18-01 [3], requiring all U.S. federal agencies to achieve a reject policy on their .gov domains by October 2018. Currently, only .4 percent of top-level .edu domains in the U.S. have implemented a reject policy—the gold standard for DMARC.
For many colleges and universities, the issue isn’t a lack of concern, but their inexperience with setting up email authentication. Here are five recommendations for getting started.
1. Implement both SPF and DKIM for all domains. If DKIM is further out on your roadmap, SPF is an ideal place to begin. For SPF we recommend -all or ~all, and strongly advise against the use of +all or ?all.
2. Publish a DMARC record for all domains, whether you send mail from them or not. Deploying a DMARC none policy (p=none) is a perfectly fine starting point. It’s a great step to get used to the DMARC data and begin the process of evaluating the length and complexity of your DMARC journey.
3. Find a DMARC software solution to help you quickly interpret the large amounts of DMARC data you will receive and guide you through the journey of getting to a reject policy for your domains responsibly.
4. Hire a consultant if you do not have email-authentication expertise or the resources to manage the process of getting to reject for your domains.
5. Publish a DMARC with reject policy for non-sending and defensively registered domains. It is a quick win to start protecting your brand by locking down these assets that should never be sending mail.
We hope that higher ed institutions across the country will step up to the challenge of protecting their students, faculty, and alumni. Perhaps the pressure on U.S. federal agencies to deploy DMARC and achieve a reject policy will be a catalyst for positive change in email authentication nationwide, and phishing will eventually become a thing of the past.