NCSC calls out Microsoft over Dmarc reports

Microsoft stopped sending any form of domain-based message authentication, reporting and conformance (Dmarc) protocol reports from any of its email platforms in late 2017, according to the latest report by the UK’s National Cyber Security Centre (NCSC).

Microsoft’s email platforms together form one of the biggest receivers of email. “As a result, this has had a massively negative effect on the community’s ability to draw conclusions about email security driven by Dmarc adoption, and it is almost impossible for us to compare meaningful statistics from this year with statistics from last year,” the NCSC said in latest annual report on its Active Cyber Defence (ACD) programme.

In the previous report, NCSC talked about the volume of emails it saw, both in total and the number of emails failing Dmarc, but said it was unable to do so for 2018 because of the lack of data from the one of the world’s biggest email providers.

“We, and many others, are in discussion with Microsoft about this. This chapter is therefore somewhat smaller than it could have been. Sorry,” the NSCS report said.

The NCSC’s Mail Check service is a key component of its ACD programme that monitors public sector for email anti-spoofing capabilities, including Dmarc.

According to the report, the number of public sector domains using Dmarc more than tripled from 412 at the end of December 2017 to 1, 369 by the end of December 2018.

The number of domains with a Dmarc policy of “quarantine” or “reject” to prevent suspicious emails being delivered to recipients’ inboxes also tripled from 192 to 572.

“This is obviously a significant uplift in the public sector adoption of email security protocols, but there remains more to do in driving adoption across public sector to prefer stronger Dmarc policies, and then encouraging wider industry in the UK (and more widely) to similarly adopt the protocols,” the report said.

Commenting on the NCSC report, Seth Blank, the co-chair of the collaboration committee at email industry group M3AAWG and secretary of the IETF (Internet Engineering Task Force) work group overseeing the Dmarc standard, said it underscores how important it is for all players in the email ecosystem to follow accepted standards and best practices consistently, especially in the light of the fact that email phishing is a “huge and growing” global problem.  

“When some players reap the benefits of a standard like Dmarc, but don’t contribute to the ecosystem by providing reports, it damages email security for everyone. NCSC is correct when it calls this failure out as ‘a massively negative effect on the community’.

“Fortunately, the vast majority of email inboxes worldwide respect the Dmarc standard and its obligations. Eliminating phishing attacks and email fraud depends on the continued expansion and deepening of this support,” he said.

Approached for comment by Computer Weekly, a Microsoft spokesperson said: “Dmarc reporting for outlook.com was paused for internal engineering integration. We are working on restarting it post engineering work completion”.

The NCSC also used the report to call on all email providers to adhere to Dmarc policy requirements, pointing out that Dmarc relies on email providers to treat email as requested by the sending domain policy. This means that any emails that fail the authentication requirements that are received from a sending domain with a Dmarc policy of “reject” should never even reach the intended receiver’s account.

According to the report, the way email providers treat reject records varies, and not all of them completely reject emails when there is a “reject” policy in place.

This is problematic, the report said, because if a rejected email is still allowed into a spam folder, and it turns out to be a phishing email, the likelihood of the user digging out the mail and actioning it goes from zero to “greater than zero”.

According to the NCSC, it has seen a few actual incidents where someone actioning an email that ended up in their spam folder, was the way in for attackers.

“We need the industry to be more consistent in how they action a domain’s Dmarc policies and there is significant work to be done here,” the report said.