An analysis of the 3,614 domains operated by the top accredited colleges and universities in the US has revealed that 88.8% of their root domains lack protections against phishing attacks that spoof the institution’s email nomenclature.
A report from email specialist 250ok shows that most of these institutions do not have a published Sender Policy Framework (SPF) or Domain-based Message Authentication, Reporting and Conformance (DMARC) policy in place. In fact, only 11.2% have fully implemented DMARC, the industry standard for email validation, which means that they index lower than top US and EU retailers (15.8%).
“Since universities communicate with a wide range of constituencies, leaving email security up to chance is dangerous,” said Matthew Vernhout, director of privacy at 250ok. “Failing to publish basic authentication records and a DMARC policy leaves students, faculty and other recipients unnecessarily exposed to phishing attacks.”
Even though the higher education sector appears to be lagging, the news comes as organizations continue to grow their awareness of DMARC’s effectiveness. For instance, the Department of Homeland Security (DHS) issued a directive last year for all federal domains to implement DMARC, TLS and HTTPS to prevent domain name spoofing and to secure email communication. Other segments are beginning to follow suit.
"We send up to millions of unique emails each month to students, asking them to click links. Recipients get used to seeing emails from a UKY.edu domain, and they may click a link without double-checking where the email came from," said Alex Mackey, digital strategy manager at the University of Kentucky and 250ok client. "Being compliant and understanding the implications of spoofers using your domain needs to be at the forefront of the mind of anyone who is sending email, especially in the higher ed space."