• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Red Sift Blog

Red Sift Blog
  • redsift.com
  • Featured
  • Who are we?
  • Get in touch
You are here: Home / Email / How to know if you ‘have’ DMARC

How to know if you ‘have’ DMARC

by Rahul Powar
November 10, 2017August 16, 2022Filed under:
  • DMARC
  • Email

DMARC is a widely supported, standards-based approach to email security. However, that statement can often cause confusion as it suggests that organizations just get it by default. In this post, we look at what it really means to ‘have’ DMARC.

Firstly, what is DMARC?

DMARC is a widely-adopted security standard that provides protocol-level security. When correctly configured at a policy of p=reject, it stops hackers and bad actors from being able to spoof your domain (i.e. pretend to be you) to send phishing emails to your employees, customers, and wider supply chain.

But what does that all mean for your business? Do you automatically have it? Maybe you’ve heard that Microsoft, Google, or your Cisco appliance supports DMARC. So do you – as a business – need to do anything? Don’t you just ‘have’ DMARC? Well, unfortunately not quite.

Do-I-have-DMARC?

There are two parts to DMARC

The DMARC standard has two parts, one for receivers and another for senders. The widely supported part is the receivers, practically all email receivers such as Microsoft, Google, Yahoo, etc implement this part of it.

You can think about this part in terms of HTTPS, like the little green security lock that you see on all good web properties. Your browser supports it, but if your bank doesn’t enable it, it provides no benefit when you use your browser to access your account details.

To ‘turn DMARC on’ for your organization (the sender), you first need to advertise that you are ready for it on your DNS. This is what all the mail receivers around the world are checking today. So you find a DMARC generator online, follow the recommendations, and modify your DNS with the appropriate incantations. Now you have a magic piece of text that looks a little like this:

v=DMARC1; p=none; rua=mailto:me@mydomain.com; ruf=mailto:me@mydomain.com; sp=none; ri=86400

And just like that, you’re advertising to the world that you have adopted DMARC. Surely you have it now? Well, not quite.

What is a DMARC policy, and why do I need one?

Your inbox will now be spammed by servers all around the world with email traffic reports for your domain (www.example.com), yet you haven’t actually asked recipient servers to do much with the emails coming from your domain. All the attacks that DMARC is supposed to protect against are still going through, and your domain is still vulnerable to impersonation. This is because you’re currently advertising a policy of p=none.

This is a fairly common situation. Your DMARC policy is essentially the instruction you give to receiving servers, telling them what to do with emails that come from your domain. Essentially, having a DMARC policy of p=none is like having a firewall that allows all traffic in and out but gives you a log of the activity. The three DMARC policies are:

DMARC-policies-explained

To really benefit from all the internet infrastructure that already exists around you, you need to move to an enforcing policy i.e. p=quarantine or ideally p=reject. While you could try to turn it on with a simple edit to the policy, most likely your email will just stop working and you’ll rapidly jump back to p-none.

This is because all those delivery problems you’ve probably heard about (marketing emails that get low deliverability scores, proposals that have gone to spam etc) now suddenly become hard failures. In your post-DMARC existence, there is no leeway, and all those emails go nowhere.

Correctly implementing DMARC is the hard part

This is the real task at hand, and an inbox full of difficult-to-interpret XML attachments won’t get you very far. Hidden amongst millions of DMARC data points, any one of these reports could contain a critical piece of your infrastructure that is failing to authenticate and not getting through. But without the right tools to interpret the data, it’s like trying to find a needle in a haystack.

There are also unfortunate limitations in the standard that make deployments challenging, such as the limits of the foundational DNS based authentication technologies.

AI-based DMARC tool OnDMARC does the hard work

This is why we created our award-winning product OnDMARC, helping organizations of any scale successfully implement and maintain their global email authentication layer. Next generation solutions such as OnDMARC solve these problems so you can successfully deploy DMARC irrespective of your level of infrastructure complexity or IT experience.

As well as the obvious security improvements, a happy benefit of DMARC-authenticated email is that deliverability goes up as receiving servers can now trust the emails your domain sends. Google has been recommending this for some time, and as we move to a more hostile landscape, email authentication via DMARC is a big part of the fight back.

So, in summary:

  • DMARC is protocol-level protection but that does not mean it is turned on for you by default.
  • Turning it on will involve more than a single DNS change, and you want to be using the best tool available for your needs.
  • If your email is not DMARC-enabled, then your organisation is not enjoying the level of visibility, security, and deliverability that it should be.

It’s worth mentioning that while all serious email security solutions implement DMARC there are a few holdouts. Gartner required DMARC support in 2016 to rate providers leaders in their sector but legacy providers still exist. If your company is using outdated technology in this fast-moving landscape, you are exposing yourself to unnecessary risk. Talk to us and we can provide you with more information given your specific infrastructure.

Quickly check your current SPF, DKIM, and DMARC setup using our free tool

To get started on your DMARC journey, you’ll first want to see what your current email security setup looks like. To do this, you can use our quick and easy investigate tool to check your current SPF, DKIM, and DMARC setup in seconds. Try it below!

Check email setup

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Tagged:
  • Cybersecurity
  • Deliverability
  • DMARC
  • Email
  • Marketing

Post navigation

Previous Post Another trophy for the Red Sift cabinet!
Next Post How to streamline your DMARC decisions

Primary Sidebar

Subscribe to our blog and be the first to get updates!

Categories

  • AI
  • BEC
  • BIMI
  • Brand Protection
  • Coronavirus
  • Cybersecurity
  • Deliverability
  • DMARC
  • DORA
  • Email
  • Finance
  • Labs
  • News
  • OnINBOX
  • Partner Program
  • Red Sift Tools
  • Work at Red Sift
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • October 2016

Copyright © 2023 · Red Sift