21 February 2023 – A new survey of US college and higher education email domains has revealed less than one in ten universities stop phishing attacks and spoofing attempts.
The research by email security provider EasyDMARC reviewed the security policies of .edu email domains, which are assigned to 1,930 US colleges and further education institutions. EasyDMARC’s research found that only 152 (7.8%) of US .edu domains have correctly implemented and configured security policies to flag, report, and remove outbound phishing emails.
The survey reviewed the deployment of the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard among US .edu domains. First published in 2012, the DMARC standard enables the automatic flagging and removal of receiving emails that are impersonating senders’ domains, which is a crucial way to prevent outbound phishing and spoofing attempts.
EasyDMARC’s research found that only 1122 (58%) of US .edu domains had implemented the decade-old DMARC standard. The research also revealed an under-utilization of DMARC’s capabilities where it is deployed.
Among the US .edu domains that had implemented DMARC, 848 of them (76% of such domains) had their DMARC policies set to only monitor outgoing emails impersonating legitimate domains. A further 199 domains (18% of DMARC-using domains) only went slightly further, having set their policies to send impersonating emails to quarantine.
As a result, many DMARC implementations among US .edu domains leave users vulnerable to still receiving phishing emails. This creates a substantial risk of ransomware attacks, fraud, and data breaches.
In the end, only 152 institutions (7.8% of the total and 14% of DMARC-using domains) set their DMARC to automatically reject site emails impersonating their domain. This means that an underwhelming number of universities stop phishing completely.
Gerasim Hovhannisyan, EasyDMARC CEO and co-founder says:
“Phishing and spoofing are the main vectors for most modern cyber threats, including ransomware. That’s why it’s very concerning to see that less than one in ten US higher ed institutions have adopted adequate protection against these attacks by adequately implementing a DMARC solution.
“With many organizations moving to cloud-based email ecosystems, it’s likely that many educational institutions are finding it difficult to find a way to implement DMARC that can operate seamlessly alongside their SaaS solution stack. For vendors and service providers to educational institutions, these findings should be a wake-up call regarding the massive security gap that needs to be filled with cloud-native DMARC solutions.”