SPF/DKIM use on the decline among Fortune 500s

For those not familiar with Sender Policy Framework (SPF) or Domain Keys Identified Mail (DKIM), these are two forgery countermeasures that can be used by anyone looking to protect the integrity of their outgoing electronic correspondence (email). SPF and DKIM provide a response to recipient email servers interested in knowing whether a particular sender was authorized to send email representing the company’s domain. This is done without divulging any information about the message that was sent and can be very effective at fighting spam, phishing and other forms of spoofing. In order for the recipient to identify a forgery, their mail server must be running software that supports SPF or DKIM lookups (such as Secure Mail).

Out of the 2008 roster of Fortune 500 companies, a mere 202 appear to be using any of the forgery countermeasures provided by SPF, DKIM or similar implementations. This poses a stark contrast to Sendmail’s Survey, which claim some 90 percent of Fortune 1000 companies, suggesting a sharp decline from Sendmail’s reported 282 companies. To confirm their results, Secure Computing’s Research Team decided against using a random sampling and instead pulled together a list of all 500 primary domains used by the Fortune 500 and queried them.

Overall, most of the well known Fortune 500s that touch the technology world were using forgery countermeasures of some sort, and that’s where the rubber meets the road. These are, by far, the most likely targets of phishing and spoofing attacks. However it is important for the rest of the companies to consider these measures in an ever-increasing arena for fraud. Configuring SPF can be done effortlessly, in as little as 20 minutes for most companies.