With email attacks contributing to billions of lost dollars each year, a growing number of organizations are adopting Domain-based Message Authentication, Reporting & Conformance (DMARC) in an effort to protect themselves and their customers from fraudsters. Adoption of DMARC has steadily gained traction since the onset of the pandemic, and the original email authentication protocols at the heart of it continue to prove extremely effective at stopping billions of email attacks from ever reaching their targets.
But that’s only when it’s done right. Unfortunately, there are a number of myths about DMARC that could hinder deployments and undermine efforts to thwart attacks. Let’s debunk five of the most prevalent:
Myth #1: I Can Easily Deploy DMARC Myself
Makes sense, right? After all to get started, all you need to do is publish a DMARC record to your DNS, and then you’ll receive immediate visibility into your email sending environment. In addition to reporting, DMARC also acts as the policy layer for email authentication technologies already widely in use, including Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). Visibility, reporting, and policy enforcement all with a simple DNS record seems pretty easy, and in fact it can be…but the devil is in the details.
NO...The Truth Is You Need Expertise in Email Security
DMARC reports (in the form of raw XML files) can be difficult to parse and more importantly, difficult to correlate the sending IP addresses with the actual organizations that are sending emails on your behalf. Most organizations are surprised to discover the complexity of their email ecosystem and how cumbersome it can be, as well as a drain on manpower, if you try to tackle it in-house—especially if your organization owns thousands of domains across multiple geographies, as well as hired countless third-party or contracted vendors that reside outside.
Before any policy actions can be implemented, you first have to authenticate your email with SPF and DKIM, so knowing who to contact at which email service provider is a necessary first step in implementing DMARC. Although this can often be the hardest step, using a full-service solution like Agari Brand Protection to map sending IP addresses to the email service provider(s) sending on your behalf makes this easy to determine, so you can take the next steps in protecting those third-party partners.
Myth #2: DMARC Prevents All Email Attacks
When configured correctly, DMARC enables receivers—whether webmail providers or secure email gateways with DMARC support—to detect deceptive emails sent by attackers spoofing the domains owned by the organization. That’s true no matter who the intended target may be, correct?
NO...The Truth Is Phishing & Spoofing Capabilities Are Getting More and More Sophisticated
When configured properly, DMARC stops phishing attacks that appear to originate from trusted domains, making it ideal for outbound phishing protection because the organization sending the email controls its implementation, but it can also mitigate certain threats found in inbound traffic as part of a multi-layered approach to email security. For example, in spear phishing attacks, of which more than 80% leverage Display Name Imposters (DNI), DMARC provides no defense. Similarly, DMARC doesn’t protect against lookalike domain spoofs or compromised accounts either; thus, additional protection is needed to prevent phishing emails from hitting the inbox.
Myth #3: Simply Establishing a DMARC Record Means You're Protected
The good news is that by the end of 2021, DMARC was supported by more than 5 billion email inboxes worldwide to detect identity-based fraudulent email attacks, and more have joined these ranks since. By establishing a DMARC record, email senders can help receivers spot spam that’s impersonating an organization known to be DMARC-protected. So, aren’t you good to go?
NO...The Truth Is That's Only the First Step in Mitigating Your Risk of Being Targeted
While a DMARC record enables senders and receivers to exchange data that can help them spot scams, it does nothing to enforce any policies on its own. For that, organizations must specify in their record whether unauthenticated emails should be quarantined in a Junk folder, or rejected outright. The bad news is that even in 2021, most organizations had a DMARC policy of p=none, including 37% of the Fortune 500. In fact, of the top organizations in the United States, only 34% are completely protected with a policy of p=reject. Remember, DMARC is both a reporting standard as well as a policy enforcement standard. Visibility is a great first step to understanding your email sending environment, but enforcement needs to immediately follow to ultimately protect your organization and your brand.
Myth #4: DMARC is Only Needed for Domains That Send Email
With DMARC properly set up and appropriate enforcement policies activated for the domains from which they send email, organizations have everything they need to effectively monitor email and make informed security decisions, correct?
NO...The Truth Is It's Needed on ALL of Your Domains for Complete Defense
Any domain can be impersonated, so it's not just a matter of locking down the domains that currently send email. Every domain you own should be protected by DMARC to make sure your email receivers can assess whether incoming messages purporting to come from any of your domains are authentic. Brand protection that only covers some domains isn’t really brand protection at all, as the attackers will quickly move to other domains that look or sound like yours. And while many businesses register many “defensive domains” to eliminate as many close-cousins as possible, unless they have a brand protection solution like Agari's, it’s nearly impossible to secure an infinite number of domain possibilities.
Myth #5: DMARC is All You Need to Be Protected
DMARC is awesome— you get your domains locked down, set your policies, and then relish in a drop-the-mic moment, right?
NO...The Truth Is DMARC Is Just the BEGINNING
After setting up DMARC, how will you ensure enforcement throughout the email ecosystem? What happens if your marketing team signs up another vendor to send email on your behalf? What if somebody registers a new domain or subdomain as part of a new email marketing campaign? How will you use data from all of your email streams to gain visibility into fraud tactics and fight active threats as they emerge? If “eternal vigilance is the price of liberty” then continuous monitoring of your email ecosystem is the price to pay for a 100% safe and secure email environment and overall brand. Fortunately, Agari has been in this market longer than any other vendor in email security solutions and was one of 15 key participants in creating the DMARC standard back in 2012, as is evident in our proven track record of success with many of the world’s largest brands.
Myth-busting aside, it’s unclear how many organizations will use DMARC to its full potential. Still, when you consider that 94% of successful breaches start with email, as presented in Verizon Business’ 2021 Data Breach Investigations Report, we should all hope a growing number of email users decide that doing DMARC right is worth it.