North Korea targeting weak DMARC policies

Bleeping Computer’s Sergiu Gatlan reports on a dire DMARC warning from the US National Security Agency (NSA): It seems that North Korea loves to send phishing emails, and they seem to be finding success by picking domains with weak DMARC policies, when looking for whom to target. I have to wonder – have they learned, possibly through that rush for everyone to implement DMARC so that everyone can keep sending marketing, newsletter or other bulk mail en masse to Yahoo Mail and Gmail inboxes, that “p=none” is not so much a DMARC policy as much as it is an invitation for bad guys to come spoof a domain?

Indeed, in the rush to meet the February new sender requirements deadline, a whole bunch of domains have implemented a “p=none” DMARC policy. I, like many other folks, have been guilty of falling into the trap of suggesting that a “p=none” policy is good enough, as it seemed to be enough to comply with the new Yahoo and Google requirements. But what we’re all learning here is that it’s not a great choice from a security perspective, and that bad guys might even go looking for domains with a “p=none” policy to exploit when trying to decide whose domains to spoof.

And right now, that universe of unprotected “p=none” domains is … just too large. Of the top ten million domains, 1.375 million of them have a DMARC policy with p=none, according to my April 2024 data snapshot. That’s about 70% of the nearly 2 million DMARC policies found overall in that data set. And of the 1.375 million domains with a “p=none” policy, only about 38% of those even have a reporting address configured. Meaning nobody’s actively monitoring those domains for phishing or spoofing.

TL;DR? If you’ve got a “p=none” DMARC policy in place today, you don’t necessarily need to run screaming for the hills; but you should be thinking about how to prevent it from happening to you. I know from my years of observing spam spoofing that everybody gets spoofed eventually, so I wouldn’t just let this go. It’s time to put a plan together to get DMARC monitoring in place and work toward a “p=reject” policy to secure your domain.

Want to learn more about this issue, and what you can do about it? Follow me over to the Valimail blog, where I've written more on this very topic.


Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.