The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) has put out a joint call-to-action with
Google and
Verizon for the security industry to take more proactive measures to authenticate and secure their sending domains and email addresses by deploying email authentication at scale.
Preventing rampant phishing during the COVID-19 period should be a top priority for domain owners, the group said in a
statement posted earlier this week. M3AAWG said the COVID-19 pandemic has provided “air cover” and new lures for bad threat actors to take advantage of the collective anxiety, fear and social isolation people around the world face while meeting stay-at-home orders.
“The need for the widespread adoption of email authentication cannot be understated,” said Len Shneyder, co-chair of the Election Security Working Group at M3AAWG and vice president of industry relations at Twilio. “We want companies to use strong authentication to protect all businesses at a time when there’s been an uptick in malicious email campaigns, but also that brands like the WHO and CDC can’t be exploited by the bad threat actors in these campaigns.”
Shneyder said M3AAWG and its more than 200 members strongly encourage domain owners that operate email programs to adhere to the following:
- Publish Sender Policy Framework (SPF) records with at least ~all, or -all if the domain does not send email.
- Sign all mail with aligned DomainKeys Identified Mail. DKIM is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique often used in phishing and email spam.
- Publish Domain-based Message Authentication, Reporting and Conformance (DMARC) policies for organizational domains — even non-sending ones — at enforcement: using at least p=quarantine, although p=reject is preferable, across the entire domain and all subdomains without exception.
