The reality of email is that cybercriminals can use almost any brand or email domain to send spam, phishing emails, and malware installs, inflicting direct losses to customers and eroding the brand equity companies have spent years building up. The solution is DMARC, which allows companies to understand all the different mail streams being sent under their name, and prevent the malicious ones from getting to consumer inboxes.

Read “Getting Started with DMARC” now for:

  • An overview of what DMARC does and how it works
  • A closer look at security standards including SPF, DKIM, and DMARC
  • DMARC implementation steps, best practices, and common challenges
  • Real-world data on phishing attacks before and after DMARC adoption

The Numbers Today
DMARC Adoption Worldwide

The Good News
Strong Consumer Mailbox Adoption

The Bad News
Poor Adoption and Enforcement by Large Organizations

Fortune 500 Adoption Rate and Enforcement Status by Industry

Organizations With No DMARC Policy 

The Challenge to Implementing DMARC
What Makes DMARC Implementation Hard

Poor Visibility 

Most companies don’t realize how complex their email ecosystem is until they begin getting aggregate data from DMARC reporting. Standard reporting comes in the form of individual XML files that specify domain names, IP addresses, and authentication details.

While many tools can parse and visualize this data, making sense of the stream and understanding what subsequent actions to take to improve the authentication status of domains is very difficult and error prone, requiring a deep understanding of email flows.

Discovering and Authorizing Third-Party Senders 

The most challenging step of the DMARC journey is understanding all third-party senders and ensuring that legitimate senders are authenticating properly. On average, customers have 64% of legitimate emails sent through third-parties such as Salesforce, Marketo, or MailChimp.

The Cost of “Doing it Wrong” 

Despite the emergence of new messaging platforms, email continues to be the most critical vehicle for communication and digital engagement for organizations. Incorrectly configuring authentication can lead to false positives, deliverability issues, and brand damage.

Taking the final step to a p=reject policy can be a daunting prospect if the business impact of undeliverable email is unknown or cannot be predicted.

The Decision
Selecting the Right Vendor

Not all DMARC implementation solutions are created equally, and it can be difficult to interpret some of the marketing claims made by vendors.

In simple terms, there are four main things organizations should look for when evaluating which DMARC partner to use.

1. Proven Scale and Reject Enforcement at the Largest Enterprises 

Anything less than an enforcement policy (quarantine or reject) opens the door for cybercriminals to conduct email phishing attacks using your brand to exploit your customers. This is the key business outcome to keep in your sights.

Beware of vendors making promises that guarantee an enforcement policy in a specific number of days.

The reality is that email authentication ties directly to an organization’s critical business processes. The process is sometimes simple, sometimes complex, and it cannot be outsourced completely to a third-party vendor.

What to Ask Vendors: 

  • How long have you been focused on DMARC implementation?
  • Did you acquire a tool to meet a product gap?
  • What’s the largest environment (number of domains) that you’ve brought to Reject?

2. Automated Discovery and Visualization of Third-Party Senders 

Understanding the third-party senders and cloud services sending on your behalf and ensuring legitimate services are properly authenticated
are the biggest challenges of achieving DMARC enforcement. This is an essential capability to track sender level authentication progress and monitor new senders. You should not compromise in this area.

What to Ask Vendors: 

  • Can you automatically generate a visual display (not just IP addresses) of all senders emailing on my behalf?
  • How do you discover and validate the senders?

3. Adherence to Email Authentication Best Practices with No Vendor Lock-in 

DMARC is an open standard developed by pioneers in the email space. Vendors who introduce non-standard approaches and configurations do a disservice to their customers, who will have difficulty migrating off the proprietary system if the need arises.

What to Ask Vendors: 

  • What non-standard approaches do you use for maintaining SPF records?
  • If I move to another vendor to drive my authentication roadmap, how can I migrate the customized settings?
  • How is your environment protected from attacks?

4. Support for Enterprise-Class Features 

Mature vendors with a proven track record serving the needs of large enterprise and government customers will have the right mix of features and capabilities around reporting, forensics, and ecosystem integration.

What to Ask Vendors: 

  • Describe the ad-hoc executive-level reports you can create. Can you schedule and share reports in CSV and PDF format?
  • Do you support role-based and domain-based access control that can map to my organization’s process?
  • Do you support single sign-on (SSO) access to the application?


Close button
Mail Letter

Would you like the confidence to trust your inbox?