Privacy & Information Security Law Blog

On March 3, 2017, the FTC announced the results of a study about online businesses’ use of proper email authentication technology to prevent phishing attacks. The study’s sample included 569 large online businesses with strong ties to the U.S. The FTC found that 86 percent of those businesses use Sender Policy Framework—an email authentication technology that enables Internet Service Providers (“ISPs”) to determine whether an email is from a legitimate source (e.g., whether an email that claims to be from a business’s domain in fact came from the business).

Fewer than 10 percent of the businesses evaluated, however, use Domain Message Authentication Reporting & Conformance (“DMARC”)—an email authentication technology which alerts the business about potential spoofing efforts and instructs ISPs to automatically reject unauthenticated messages that claim to be from the business’s email address. In its report, the FTC recommended “wider implementation” of DMARC, noting that using DMARC to reject unauthenticated messages would help businesses “further combat phishing by keeping these scam emails from ever showing up in consumers’ inboxes.”