3 Major Email Security Standards Prove Too Porous for the Task

Nearly 90% of malicious emails manage to get past SPF, DKIM, or DMARC, since threat actors are apparently using the same filters as legitimate users.

Email security standards are proving porous where malicious email attacks are concerned, since attackers use a deceptive link or new domains that comply with the same email security standards regular users employ to blunt threats like phishing, according to a vendor report released this week.
Security firm Cloudflare found that the vast majority (89%) of unwanted messages passed a check of at least one of the three major email security standards: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), or Domain-based Message Authentication, Reporting and Conformance (DMARC). SPF typically uses a domain-name record to indicate which servers can send mail on behalf of the domain, while DKIM allows senders to sign parts of a message, such as the from address, to attest to their validity. Finally, DMARC is a way of specifying policies, which can include attestation by SPF and DKIM processing.
While these email authentication standards are crucial to make the Internet safer, they can only protect users from the threats against which they were designed to protect, says Oren Falkowitz, field chief security officer at Cloudflare.
It is trivial for threat actors to set up a domain with the correct email authentication records, such that they pass all the necessary authentication checks while simultaneously including malicious payloads or links within the message to gain access to the organization, he says. Leveraging a common email provider ensures that attack messages will pass all the typical authentication checks — ultimately providing a fast lane to the intended target.
The data underscores that there remains much more work to do to protect users from fraudsters and cyberattackers who regularly use email to send scams and malware to victims. The addition of SPF, DKIM, and to organizations anti-fraud toolboxes has certainly made attackers jobs harder, but not impossible. Major email service providers like Googles Gmail have adopted the security standards, but so have attackers, who quickly adopt any workaround. At the recent DEF CON hacking conference, one security researcher demonstrated a way to use one mail service to
send messages on behalf of other domains
but that still pass DMARC checks.
For that reason, defenders need to take a layered approach, says David Raissipour, chief technology and product officer at Mimecast.
Like any security solution, no one should assume 100% coverage, he says. The easiest way to describe this would be like saying, We put a lock on our front door — that should prevent all burglaries. That statement would not be accurate, yet you should never consider having a house without a lock on the front door — it is simply part of a layered security system.
In its
2023 Phishing Threats Report
, Cloudflare noted that the email security technologies do not prevent lookalike email content, domains similar to a company brand, and some replay attacks. About one in every seven phishing emails attempts to camouflage the attack in the branding of a well-known company. The top impersonated brands include Microsoft, the World Health Organization, and Google, with the top-20 brands accounting for more than half (52%) of all impersonation attempts.
In addition to impersonating any of more than 1,000 brands, attackers used deceptive links more than a third of the time (36%); emails came from newly registered domains 30% of the time, according to Cloudflares analysis of data from hundreds of millions of attacks.
Since its introduction at the turn of the century, and its adoption
as a proposed standard nearly a decade ago
, SPF has focused on making it harder for fraudsters to impersonate legitimate domains. However, in 2022, only about 60% of domains had a valid SPF policy, while 31% had no policy, and another 9% had a misconfigured policy, according to
URIports.com
.
Having these standards helps ensure that emails originate from valid senders, which is a critical use case, Cloudflares Falkowitz says. But these standards were not meant to — nor do they — detect the presence of malicious payloads, links, or payload-less attacks, such as invoice fraud or business email compromise.
Cloudflare based its analysis on a 12-month sample of the approximately 13 billion email messages, including nearly 280 million email threat indicators, 250 million malicious messages, and about a billion instances of brand impersonation, the report stated.
Just because an email message comes from a validated server does not mean the message is not fraudulent, so companies need to check out the verified domains and senders of email messages. In effect, organizations need to apply zero-trust principles to their email security as well, including phishing-resistant multifactor authentication, Falkowitz says.
Attackers find success by attempting to be authentic — both representing themselves as the brands we know and trust, as well as the people we know and do business with, he says, adding: The only way to catch these attacks is by being preemptive in our approach and employing a diverse set of signals and techniques that span the various attack types and attack vectors seen in these campaigns.
In addition, security controls have to protect more than just email, since many companies rely on Slack, Microsoft Teams, or other messaging apps for daily operations, says Mimecasts Raissipour.
We really need to think more holistically about what we can call email security, he says. Employees, partners, and customers use more than just email for communication. We have seen those platforms become a target for malicious actors, and organizations should be considering the security of all their communication channels.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
3 Major Email Security Standards Prove Too Porous for the Task