DMARC is a widely supported, standards based approach to email security. However that statement can also often cause confusion as it can suggest that organisations just get it by default. In this post we look at what it really means to ‘have’ DMARC.
DMARC is a widely adopted security standard that provides protocol level security. But what does that mean for you? Do you automatically have it? Maybe you have heard that Microsoft, Google or your Cisco appliance supports DMARC so do you, as a business, need to do anything? Don’t you just ‘have’ DMARC?
Well, not quite.
The DMARC standard has 2 parts, one for receivers and another for senders. The widely supported part is the receivers, practically all email receivers such as Microsoft, Google, Yahoo etc implement this part of it.
You can think about it in terms of HTTPS, the little green security lock that you see on all good web properties. Your browser supports it but if your bank does not enable it, it provides no benefit when you use your browser to access your account details.
To turn on DMARC for your organisation, you need to advertise that you are ready for it by advertising it on your DNS. This is the only way to turn on DMARC for your email as it is what all the mail receivers around the world are checking today. It is also the magic that tools like our DMARC checker use to test your current configuration.
So you find a DMARC generator online, follow the recommendations and modify your DNS with the appropriate incantations. Now you have a magic piece of text that looks a little like:
v=DMARC1; p=none; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; sp=none; ri=86400
… advertising to the world that you have adopted DMARC. Surely you have it now!
Well, not quite.
Your inbox at
email@example.com will now be spammed by servers all around the world with email traffic reports for
mydomain.com — yet you have not actually asked them to do much with your chosen DMARC record. All the attacks that DMARC is supposed to protected against are still going through.
You are however in a fairly common situation. Out of the 52,000 websites that advertise DMARC today, 2/3 of them are stuck in this state. You have logs but logs don’t authenticate your email or stop impersonation. In the DMARC record, the magic is
p=none — you are advertising a policy that says do nothing if my email does not authenticate (apart from log it). It is like having a firewall that allows all traffic in and out but gives you a log of the activity.
To really benefit from all the internet infrastructure that already exists around you, you need to move to an enforcing policy i.e.
p=reject. While you could just turn it on with a simple edit to the policy, most likely your email will just stop working and you will rapidly jump back to
p=none. This is because all those vaguely anecdotal delivery problems you may have heard about, marketing emails that get low deliverability scores, proposals that have gone to spam etc suddenly become hard failures. In your post-DMARC existence, there is no leeway, all those emails go nowhere.
This is the real task at hand and an inbox of XML attachments will not get you far. Hidden amongst millions of DMARC data points, any one of those reports could contain a critical piece of your infrastructure that is failing to authenticate and not getting through.
This is why tools such as ours exist and why most organisations of any scale end up using them to successfully implement and maintain their global email authentication layer.
There are also unfortunate limitations in the standard that make deployments challenging such as the limits of the foundational DNS based authentication technologies. Next generation solutions such as our service OnDMARC solve these problems so you can successfully deploy DMARC irrespective of your level of infrastructure complexity.
A happy and incredibly clear ROI positive benefit of authenticated email is that deliverability goes up as the receiving server can now trust the email you actually send. Google has been recommending this for some time and as we move to a more hostile landscape, email authentication via DMARC is a big part of the fight back.
- DMARC is protocol level protection but that does not mean it is ON for you by default.
- Turning it ON will involve more than a single DNS change. You want to be using the best tool available for your needs.
- If your email is not DMARC enabled, you are doing email wrong. Your organisation is not enjoying the level of visibility, security and deliverability it should be.
It is worth mentioning that while all serious email security solutions implement DMARC but there are a few holdouts. Gartner required DMARC support in 2016 to rate providers leaders in their sector but legacy providers still exist. If your company is using outdated technology in this fast moving landscape, you are exposing yourself to unnecessary risk. Talk to us and we can provide you more information given your specific infrastructure.