Email Security Blog

5 Big Myths about DMARC, Debunked

Jacob Rideout September 16, 2019 DMARC

With email attacks contributing to billions of lost dollars each year, a growing number of organizations are adopting Domain-based Message Authentication, Reporting & Conformance (DMARC) in an effort to protect themselves and their customers from fraudsters.

Adoption of DMARC has steadily gained traction, and more than 70% of all email inboxes worldwide support this standard for detecting identity-based fraudulent email attacks. The email authentication protocols at the heart of DMARC, first introduced in 2012, have proven extremely effective at stopping billions of email attacks from ever reaching their targets.

But that’s only when it’s done right. Unfortunately, there are a number of myths about DMARC that could hinder deployments and undermine efforts to thwart attacks. Let’s debunk five of the most prevalent:

Myth #1: Deploying DMARC is Easy

Makes sense, right? After all, getting started with DMARC only requires publishing a DMARC record to your DNS, after which you receive immediate visibility into your email sending environment.  In addition to reporting, DMARC also acts as the policy layer for email authentication technologies already widely in use, including Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). Visibility, reporting, and policy enforcement all with a simple DNS record seems pretty easy, and in fact it can be… but the devil is in the details.

The Truth

DMARC reports (in the form of raw XML) can be difficult to parse and more importantly, difficult to correlate sending IP addresses with the actual organizations that send on your behalf.  Most organizations are surprised to discover how complex their email ecosystem is—especially for those with thousands of domains across multiple geographies and countless third-party partners. And because authenticating your email with SPF and DKIM has to be done before any policy actions can be implemented, knowing who to contact at which email service provider is the necessary first step in implementing DMARC.  This is often the hardest step, which is why Email Cloud Intelligence in Agari Brand Protection maps sending IP addresses to the email service provider sending on your behalf. With this feature, it’s easy to determine who is sending email so you can take the next steps in protecting those third-party providers.

Myth #2: DMARC Prevents All Email Attacks

When configured correctly, DMARC enables receivers—either webmail providers or secure email gateways with DMARC support—to detect deceptive emails sent by attackers spoofing the domains owned by the organization. That’s true no matter who the intended target may be, correct?  

The Truth

When configured properly, DMARC stops phishing attacks that appear to originate from trusted domains. That makes it ideal for outbound phishing protection because the organization sending email controls its implementation. But it can also mitigate certain threats found in inbound traffic—at least as part of a multi-layered approach to email security. However, based on multiple independent studies, the overall number of attacks using “owned domain spoofing” as an attack vector is in the low double digits of percentage and decreasing.  More than 80% of spear phishing attacks leverage Display Name Imposters (DNI), either brand or individuals, and DMARC provides no defense against that. Additionally, DMARC doesn’t protect against look-alike domain spoofs or compromised accounts. In all of these cases, additional protection is needed to prevent phishing emails from hitting the inbox.

Myth #3: Establishing a DMARC Record Means You’re Protected

The good news is that DMARC is supported by 2.5 billion email boxes worldwide, and more are joining these ranks every day. By establishing a DMARC record, email senders can help receivers spot spam that’s impersonating an organization known to be DMARC protected. So aren’t you good to go?

The Truth

Not quite. Yes, a DMARC record enables senders and receivers to exchange data that can help them spot scams. But it does nothing to enforce any policies on its own. For that, organizations must specify in their record whether unauthenticated emails should be quarantined in a junk folder or rejected outright. The bad news is that most organizations have a DMARC policy of p=none, including 44% of the Fortune 500. In fact, of the top organizations in the United States, only 12% are completely protected with a policy of p=reject. Remember, DMARC is both a reporting standard as well as a policy enforcement standard.  Visibility is a great first step to understanding your email sending environment, but enforcement needs to fast follow to ultimately protect your organization and your brand.

Myth #4: DMARC is Only Needed for Domains That Send Email

With DMARC properly set and appropriate enforcement policies activated for the domains from which they send email, organizations have everything they need to effectively monitor email and make informed security decisions, correct?

The Truth

Any domain can be impersonated, so it is not just a matter of locking down the domains that currently send email. Every domain you own should be protected by DMARC to make sure email receivers can assess whether incoming messages purporting to come from any of your domains are authentic. Brand protection that only covers some domains isn’t really brand protection at all, as the attackers will quickly move to other domains that look or sound like you.

Myth #5: DMARC is All You Need

DMARC is awesome: Get your domains locked down, set your policies, and enjoy a drop-the-mic moment, right?   

The Truth

Setting up DMARC is just the beginning. How will you ensure enforcement throughout the email ecosystem? What happens if your marketing team signs up another vendor to send email on your behalf? What if somebody registers a new domain or sub-domain as part of a new email marketing campaign? How will you use data from all your email streams to gain visibility into fraud tactics and fight active threats as they emerge? If “eternal vigilance is the price of liberty” then continuous monitoring of your email ecosystem is the price of a 100% safe and secure brand.  Fortunately Agari has been in this market longer than any other vendor and our track record of success with the world’s largest brands proves we are the best at it.

Myth-busting aside, it’s unclear how many organizations will use DMARC to its full potential. Still, when you consider that 94% of successful breaches start with email, we should all hope a growing number decide that doing DMARC right is worth it.  

To learn more about how DMARC works as well as best practices for implementation, download the Getting Started with DMARC Guide here. 

TAGS

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

September 26, 2019 Doug Jones

How to Prevent Phishing Attacks that Target Your Customers with DMARC and Office 365

Editor's Note: This post originally appeared on the Microsoft Security blog and has been republished…

Agari Blog Image

September 6, 2019 Fareed Bukhari

Ensuring DMARC Compliance for Third-Party Senders

Marketo. Salesforce. Eloqua. Bamboo HR. Zendesk. It only takes a minute to realize how much…

Agari Blog Image

August 8, 2019 Fareed Bukhari

DMARC Quarantine vs. DMARC Reject: Which Should You Implement?

You did it! You implemented DMARC and authenticated your email domains. This is no easy…

Agari Blog Image

June 26, 2019 Armen Najarian

Ticket to Fraud: Airline Industry Sees Increased Consumer Phishing Scams

For many, there are few things more satisfying than receiving an email confirmation for a…

Agari Blog Image

June 13, 2019 Fareed Bukhari

DMARC Adoption Worldwide Slows with Australia's ASX 100 Remaining Most Vulnerable

DMARC adoption rose a tepid 1% in the first quarter of the year, with the…

mobile image