How to know if you ‘have’ DMARC

DMARC is a widely supported, standards-based approach to email security. However, that statement can often cause confusion as it suggests that organizations just get it by default. In this post, we look at what it really means to ‘have’ DMARC.

Firstly, what is DMARC?

DMARC is a widely-adopted security standard that provides protocol-level security. When correctly configured at a policy of p=reject, it stops hackers and bad actors from being able to spoof your domain (i.e. pretend to be you) to send phishing emails to your employees, customers, and wider supply chain.

But what does that all mean for your business? Do you automatically have it? Maybe you’ve heard that Microsoft, Google, or your Cisco appliance supports DMARC. So do you – as a business – need to do anything? Don’t you just ‘have’ DMARC? Well, unfortunately not quite.

Do-I-have-DMARC?

There are two parts to DMARC

The DMARC standard has two parts, one for receivers and another for senders. The widely supported part is the receivers, practically all email receivers such as Microsoft, Google, Yahoo, etc implement this part of it.

You can think about this part in terms of HTTPS, like the little green security lock that you see on all good web properties. Your browser supports it, but if your bank doesn’t enable it, it provides no benefit when you use your browser to access your account details.

To ‘turn DMARC on’ for your organization (the sender), you first need to advertise that you are ready for it on your DNS. This is what all the mail receivers around the world are checking today. So you find a DMARC generator online, follow the recommendations, and modify your DNS with the appropriate incantations. Now you have a magic piece of text that looks a little like this:

v=DMARC1; p=none; rua=mailto:me@mydomain.com; ruf=mailto:me@mydomain.com; sp=none; ri=86400

And just like that, you’re advertising to the world that you have adopted DMARC. Surely you have it now? Well, not quite.

What is a DMARC policy, and why do I need one?

Your inbox will now be spammed by servers all around the world with email traffic reports for your domain (www.example.com), yet you haven’t actually asked recipient servers to do much with the emails coming from your domain. All the attacks that DMARC is supposed to protect against are still going through, and your domain is still vulnerable to impersonation. This is because you’re currently advertising a policy of p=none.

This is a fairly common situation. Your DMARC policy is essentially the instruction you give to receiving servers, telling them what to do with emails that come from your domain. Essentially, having a DMARC policy of p=none is like having a firewall that allows all traffic in and out but gives you a log of the activity. The three DMARC policies are:

DMARC-policies-explained

To really benefit from all the internet infrastructure that already exists around you, you need to move to an enforcing policy i.e. p=quarantine or ideally p=reject. While you could try to turn it on with a simple edit to the policy, most likely your email will just stop working and you’ll rapidly jump back to p-none.

This is because all those delivery problems you’ve probably heard about (marketing emails that get low deliverability scores, proposals that have gone to spam etc) now suddenly become hard failures. In your post-DMARC existence, there is no leeway, and all those emails go nowhere.

Correctly implementing DMARC is the hard part

This is the real task at hand, and an inbox full of difficult-to-interpret XML attachments won’t get you very far. Hidden amongst millions of DMARC data points, any one of these reports could contain a critical piece of your infrastructure that is failing to authenticate and not getting through. But without the right tools to interpret the data, it’s like trying to find a needle in a haystack.

There are also unfortunate limitations in the standard that make deployments challenging, such as the limits of the foundational DNS based authentication technologies.

AI-based DMARC tool OnDMARC does the hard work

This is why we created our award-winning product OnDMARC, helping organizations of any scale successfully implement and maintain their global email authentication layer. Next generation solutions such as OnDMARC solve these problems so you can successfully deploy DMARC irrespective of your level of infrastructure complexity or IT experience.

As well as the obvious security improvements, a happy benefit of DMARC-authenticated email is that deliverability goes up as receiving servers can now trust the emails your domain sends. Google has been recommending this for some time, and as we move to a more hostile landscape, email authentication via DMARC is a big part of the fight back.

So, in summary:

  • DMARC is protocol-level protection but that does not mean it is turned on for you by default.
  • Turning it on will involve more than a single DNS change, and you want to be using the best tool available for your needs.
  • If your email is not DMARC-enabled, then your organisation is not enjoying the level of visibility, security, and deliverability that it should be.

It’s worth mentioning that while all serious email security solutions implement DMARC there are a few holdouts. Gartner required DMARC support in 2016 to rate providers leaders in their sector but legacy providers still exist. If your company is using outdated technology in this fast-moving landscape, you are exposing yourself to unnecessary risk. Talk to us and we can provide you with more information given your specific infrastructure.

Quickly check your current SPF, DKIM, and DMARC setup using our free tool

To get started on your DMARC journey, you’ll first want to see what your current email security setup looks like. To do this, you can use our quick and easy investigate tool to check your current SPF, DKIM, and DMARC setup in seconds. Try it below!

Check email setup

PUBLISHED BY

Rahul Powar

10 Nov. 2017

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Certificates

A confident deployment guide for TLS and PKI

Ivan Ristic

Our journey to better network transport security has been quite the ride, filled with ups and downs. Back in the ’90s, when SSL and the Netscape browser were just taking off, things were pretty hard. We were dealing with weak encryption, export restrictions on cryptography, and computers that couldn’t keep up. But over the…

Read more
DMARC

Red Sift OnDMARC: The best Agari alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Agari DMARC Protection that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Agari and Red Sift OnDMARC – one of the most popular Agari alternatives on the market.  Red Sift OnDMARC overview Red…

Read more
DMARC

Red Sift OnDMARC: The best Valimail alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Valimail that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Valimail and Red Sift OnDMARC – one of the most popular Valimai alternatives on the market.  Red Sift OnDMARC overview Red Sift OnDMARC…

Read more
News

Announcing the beta for Red Sift Radar: An LLM Assistant for Security…

Rahul Powar

We are delighted to announce the beta for Red Sift Radar – our new LLM assistant for security teams. With Red Sift Radar, teams will be able to use an LLM to automate manual checks, drive security consistency, and build bridges with less technical teams. To bring this to life, we have taken base…

Read more