DMARC Adoption among APAC’s Higher Education Sector
On the heels of our DMARC adoption research in Europe’s higher education sector, we’re taking a look to see how schools in the Asia Pacific (APAC) region are faring with their email security.
In this study, we surveyed the top colleges and universities in Australia, New Zealand, and APAC as a region based on faculty and staff counts. To conduct this research, we took the parent domains of the schools and sifted them through our tools to access the publicly available DMARC, SPF and DKIM records published in the DNS.
Colleges and universities are prime targets because of the volumes of personally identifiable information (PII), financial data, research records and intellectual property. Their decentralized infrastructures, widespread network access, shadow IT and learning management systems create a huge attack surface with the commonality of email as an interface.
Phishing and social engineering are common in these environments, especially as campus communities constantly change and may not receive consistent cybersecurity training. While IT departments work to raise awareness, lack of expertise and budget makes it challenging to maintain a strong security posture.
APAC Higher Education Phishing Scams
Deakin University, a highly rated public institution with 60,000 students, was hit by a two-wave phishing-smishing attack in 2022. Initially, an employee’s login credentials for the university’s third-party SMS service provider were stolen via a phishing exploit; consequently, thousands of student records were exposed and bad actors began a smishing campaign with student phone numbers. Phishing is often used to gain initial access to a network or system where subsequent exploits are then carried out.
DMARC Status of Top 500 APAC Institutions of Higher Education
As with other regions, APAC is no stranger to the threats of email abuse. We discovered that 77% of the top 500 higher education domains have malformed records or aren’t protected from being used as bait domains for phishing. On the other hand, almost a quarter of the domains have enforced DMARC policies of p=quarantine or p=reject.
Here’s the breakdown:
- 38% have no DMARC record at all, leaving them open to phishing exploits.
- 23% have a record at the p=none monitoring phase where no action is taken on failing emails but visibility is provided about email sources. These are wide open to exploits.
- 16% have mistakes in their DNS records leaving domains exposed or without visibility.
- 13% have a DMARC policy of p=quarantine. This policy is where emails are delivered to spam folders and the step before the optimal p=reject policy.
- 10% are at p=reject, the safe haven for domains where illegitimate emails aren’t even delivered to inboxes.
DMARC, SPF and DKIM Record Problems
In the top 500 APAC higher education domains, we find at the publication of this research that most of the problematic DNS records were associated with SPF. Some surpassed the 10 DNS lookup limit, while others had syntax errors, multiple SPF records or nonexistent records. While we’re proponents of DKIM-first authentication, the lack of an SPF record can cause delivery issues, increase the risk of spoofing and reduce domain security by the lack of IP address authentication.
Check out our syntax guide to create accurate, aligned SPF record that lead to improved authentication, security, deliverability.
DMARC Status: Top 50 Australian Institutions of Higher Education
Australia has a general data protection law that includes protections for student data privacy. The Privacy Act 1988, commonly known as the Privacy Act, “is the principal piece of Australian legislation protecting the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information in the federal public sector and in the private sector.”
With any piece of legislation like Australia’s Privacy Act, DMARC is a foundational industry standard that shields sensitive information, prevents domain spoofing and direct-domain phishing, enables visibility and meets regulatory compliance.
In the top 50 Australian Higher education domains, again, based on employee count, we see a promising outlook with DMARC adoption. Though 42% have mistakes or no protection from domain abuse, over half have instituted the DMARC enforcement policies of p=quarantine or p=reject.
One point of celebration with Australia’s top 50 higher education domains is that every single one of them have published a DMARC record—100% of the domains are either protected from phishing exploits with DMARC or well on their way.
Here’s the summary:
- 34% have a record at the p=none monitoring phase.
- 8% have mistakes in their DNS records.
- 26% have a DMARC policy of p=quarantine.
- 32% are at p=reject, the gold standard of DMARC enforcement.
DMARC Status: Top 50 New Zealand Institutions of Higher Education
As with Australia, a review of New Zealand’s top 50 higher education domains indicate an optimistic DMARC adoption outlook. Only 8% lack a DMARC record, which signals an awareness and willingness to lock down domains from phishing with DMARC. Forty percent have published enforcement policies, though 60% have work to do in advancing their protection from being used in phishing exploits.
The specifics:
- 8% have no DMARC record.
- 32% have a record at the p=none monitoring phase.
- 20% have mistakes in their DNS records.
- 24% have a DMARC policy of p=quarantine.
- 16% have a DMARC policy of p=reject.
Email is a critical tool for communication, and is commonly targeted by cyber-attacks. It is hard to protect because email is historically insecure and subject to social engineering. Email authentication protects your email from impersonation attacks like spoofing and phishing; phishing and malware distribution attacks are common internet security threats. To avoid agency domains being used fraudulently (e.g. for spam or spear-phishing), the following should be implemented:
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
- Domain-based Message Authentication, Reporting & Conformance (DMARC) records
DMARC Policy Enforcement Comparison
With student populations often in the thousands, and employee numbers frequently matching, the higher education sector faces uniquely complex challenges with their DMARC implementations. They typically manage a high number of domains and email sending services, surpassing the complexity of your typical enterprise.
IT teams are often unsure about which departments use specific email services, complicating the DMARC implementation effort. An effective DMARC management solution is essential in these cases. Our experts at dmarcian simplify these complex tasks with proven expertise and a strong track record supporting numerous educational institutions through our professional services.
Although the number of institutions with a p=reject policy remains relatively low, it is encouraging to observe many institutions across Australia and New Zealand implementing at least a basic DMARC record. Even at a p=none policy, the insights gained through DMARC reporting provide valuable visibility and represent an important step forward in the right direction.
We unfortunately can’t say the same when we take a step back and look at the APAC region as a whole where there is still a lack of understanding or awareness in many of these countries.
—Tass Kalfoglou, Director of dmarcian APAC Business Unit
dmarcian is here to help Australia, New Zealand and other Asia-Pacific schools
With a team of email security experts and a mission of making email and the internet more trustworthy through email security, dmarcian and our partners help academic institutions reach DMARC enforcement. We’re people helping people secure their domains from phishing and manage their email security for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.
