The quality of mercy is not
It droppeth as the gentle rain from heaven
Upon the place beneath. It is twice blest:
It blesseth him that gives and him that takes.William Shakespeare – The Merchant of Venice
DMARC, if you have spent the time to understand it, looks very simple.
It can easily be defined as a public statement of policy by an email domain owner as to when an email sent from that domain should be rejected.
Simple right? Well in theory, yes, but in practice, it seems companies are finding it much harder than it needs to be.
In fact this perceived difficulty in implementing DMARC has led to some disappointing adoption rates – Our own survey in 2018 showed that of 479 retailers only 22% had a DMARC record in place up from 14 % the year before: and of this 22% only 10% of them had got to a full Reject status.
That said the rates in banking or Legal are much higher but then so is the risk in those markets.
However, when done properly in a business to business environment DMARC delivers great gains to both the sender and the receiver.
The quality of the email is not
DNS policy droppeth as
gentlerain from the CLOUD
Upon the gateway beneath. It is twice blessed:
It blesseth him that sends and him that receives.Grant Revan – This blog
I can hear the Shakespeare fans out there groaning at this point, and I’m sorry for plagiarising the Bard, but it seemed the perfect way to highlight the two ways you can harness DMARC to protect your business and your brand. You can do either in any order but for full protection you need to do both.
Step 1. Turn-on DMARC for your own email gateways
This simple setting, defaulted to “on” for Microsoft office 365 and GSuite, tells your email gateway to respect the published DMARC policy for any email domain. For a mail administrator this is a 2 minute job. (Microsoft and Google believe DMARC has so much value that they don’t really give you a choice)
Step 2. Publish your own DMARC record
Now it’s time to publish your own DMARC record so that anyone else who has also turned-on DMARC for their gateway is protected.
Many of the initial adopters of DMARC who published a DMARC policy at Reject (Step 2) did so to protect their brand. They were just trying to prevent their email domain being associated with spam, typically emails trying to sell blue pills or lottery tickets sent by spammers who knew that using a well-known brand’s domain would boost delivery and open rates. These early adopters were, in essence, trying to shield the end recipient from a stream of fake, nuisance and sometimes malicious email and although these messages were clearly not being sent by the brand owner it still hurt their reputation – both from a brand and email deliverability perspective. Fake email was dragging down the deliverability rates on their real email.
Those early adopters also quickly realised a bonus benefit of DMARC. If they then turned-on DMARC on their inbound corporate mail (Step 1 in addition to STEP 2 already completed) then they were immediately protected from the most damaging kind of malicious email – those that spoofed their own domain with the aim of fooling their own employees. This is sometimes called CEO/CFO fraud and is the cause of a lot of boardroom headaches when the Accounts department mistakenly pays a fake invoice because it appeared to come from an angry and stressed CEO.
At this point some organisations think “I have taken both steps – My job is done my email domains are secure”. But wait a moment – He that sends also receives and you’re part of a supply chain where you both send and receive email. So unless your supply chain partners also carry out BOTH steps 1 and 2 for their own email domains and systems you are still open to an attack: The hackers can send you a fake email with an invoice from one of your suppliers that you might pay – and would the fault lie with them or you for paying it?
Step 3. Mandate all your supply chain adopt DMARC
You can make this part of your terms and conditions of business and in doing so reduce your risk.
If you do nothing else turn-on DMARC on your inbound (Step1). For minimal effort, you will immediately benefit from the fact that any threats trying to use a domain already protected by DMARC policy will get blocked. For example, phishing emails aimed at getting users to divulge login details to corporate AMEX or VISA credit cards, both of which brands are DMARC protected, won’t get through.
Next, seriously look into DMARC and speak to us about your DMARC journey, our value is in helping you to do this right first time, quickly and with the minimum of fuss. Launching into DMARC without proper planning is dangerous, set your policy to reject and if your senders aren’t correctly configured you’ll end up creating your own denial of service attack across all your domains. However, a quick win can be to lock down your non-sending domains and deny these legitimate domains to the bad guys.
Finally, once you’re there, get your supply chain to embrace DMARC and lock trust into your email eco-system – whether sending or receiving. Be twice blessed.