DMARC – avoid common pitfalls when implementing

Why is DMARC important and why do many have difficulties implementing it correctly? It is considered as best practice to not only protect yourself, but also your customers and suppliers, from receiving mail sent out for the purpose of phishing. By implementing DMARC, you significantly reduce the risk that your domain name will be misused, and your organization will have full visibility of your/the e-mail flow.

The use of SPF, DKIM, or both together does not suffice in protecting yourself against this type of fraud - DMARC is also required for full protection. Despite this, few have implemented DMARC and many of those who have tried to do so have not set an enforcement policy (“p=quarantine” or “p=reject”). Without an enforcement policy DMARC is ineffective as a protection and the result of a domain not implementing an enforcement policy is exposing its recipients to possible phishing attacks. Unsurprisingly 91% of all cyberattacks starts with a phishing email.

“Given the information available on the risks associated with leaving your domain unprotected, it’s shocking the number of brands that still don’t understand the importance of DMARC,” said Matthew Vernhout, Director of Privacy på 250ok.

250ok’s Global DMARC Adoption 2019 report shows that as many as 79.7% of domain names analyzed do not have a DMARC policy *. Thus, there is no valid published DMARC record in DNS.

The challenge is not to publish the DMARC record in DNS. The actual complexity begins with the analysis of the collected data and to determent what actions need to be taken given the information generated from it. The fact that few of Fortune 500 have not yet implemented DMARC explains a great deal of this complexity and is also presented in 250ok’s report.

From my perspective I see three major pitfalls:

1. You don´t use any analysis tool for the DMARC reports.I dare to say that it is impossible to successfully implement DMARC unless you have a tool that will help you process all thousands of XML reports sent daily. There are plenty of free tools on the market today and even better well-developed tools that does not have to cost a fortune. You could also build one yourself!
2. There are difficulties in how to interpret the datacoming from the reports and therefore there can be difficulties in completing the implementation. Maybe you get stuck at policy “none” or a policy “quarantine”. In the first case, DMARC is completely ineffective as protection, only data is collected. In the second case, junk mail becomes an extended arm of the inbox, which should of course be avoided.
3. It’s incredibly time consuming. Partly to learn how to analyze the data, but also to diagnose errors. DMARC is not a “set and forget” and it requires continuous care and usually corrective measures on a weekly basis. Thus, there is often a risk that this falls between the chairs and is passed on to someone in the organization who is full of other duties.

Hiring someone who understands the entire process is not only cost-effective but also time saving. At Abion, we have packaged the Email Compromise Protection (ECP) service with all the parts you need to best secure your outgoing email flow. We handle the entire process including pre-study, implementation and monitoring, in parallel with close reconciliations with you as a customer.

* 250ok’s Global DMARC Adoption 2019 report analyzed domains in a variety of sectors including education, e-commerce, Fortune 500, US government (executive, legislative and Judical), the China Hot 100, the top 100 law firms, international nonprofits, the SaaS 1000, financial services and the travel sector.

The report looks into whether the organization or the parent domain, excluding any subdomains, implement any level of DMARC policy from “none” (good), “quarantine” (better), or “reject” (best) or no policy at all.