DMARC: It’s a Worthy Journey
In 2018, the company’s security leaders recognized it had a gap that put its brand reputation and customer relationships at risk. Without a DMARC policy in place at p=reject, any scammer could usurp the brand and send thousands of emails in its name. And with email scams that were financially motivated, the risk to customers was real.
The team knew that the DMARC record needed to be at p=reject as quickly as possible. While it was possible to create a DMARC record at a p=none policy, they knew that it would do nothing to actually stop the spoofing. They needed to truly ensure authentication, before their customers were tricked by a fake email from their real domain.
“Our company has a very complex email infrastructure,” said the Head of Email Security. “Our priority was to protect our primary email domains, as well as defensive domains, and make sure that the disparate group of senders who email on our behalf were protected too.”
"The answers Agari gave me about how we would get to p=reject on an aggressive timeline gave me confidence that they were the right choice to work with on this effort."
Finding the Right Vendor
As the company moved forward with DMARC implementation, it was important to find a vendor who could enforce authentication across all 40 domains to deliver a rejection policy within six months, effortlessly handle large volumes of external senders, identify lookalike domains, and be able to advance to BIMI implementation quickly following the DMARC project.
The company also prioritized the fresh threat intelligence each vendor could provide so that the information security team could stay abreast of changes to the rapidly shifting threat landscape. From the inception of the DMARC project, the company identified three potential partners during their research, where down-selection occurred rapidly.
“When I got involved in the selection process, it had been slimmed down to two potential vendors,” the Head of Collaborative Services, IT Operations, explained. “Both were on equal footing from a capabilities standpoint. We had a very aggressive timeline to get all of our domains to p=reject—missing the timeline was not an option” “Agari clearly demonstrated superiority due to its experience working with global enterprises, its methodology for mobilizing teams, and its processes for collaborating with the internal information security team to make this implementation a success. That’s why we chose Agari Brand Protection,” stated the Head of Collaboration Services.
Success and Immediate Impact
Agari’s experience in working with global, enterprise-sized companies with complex email infrastructures drove the required efficiencies and delivered an early win. The project beat the aggressive timeline of six months, wrapping up at p=reject in five months and two days.
Despite the large number of domains, no issues arose during the implementation. The Head of Email Security stated, “There were no issues. The planning, the testing, and the experienced Agari leadership made it very successful and nothing went wrong. We had a big celebration at the end. The implementation was outstanding.”
As a result of implementing DMARC, the company’s email security posture has become a strategic differentiator in the marketplace. Its customers, who are referred to as sponsors, recognize its strong security posture. “Oftentimes we are managing our sponsors’ patients’ data. So our security practices have to be beyond world-class,” the Head of Collaboration Services said. “When our sponsors know we’re working with category-leading partners like Agari, it gives them confidence that they can trust our entire company.”