5 Big Myths about DMARC, Debunked
A guest blog from Agari.
With email attacks contributing to billions of lost dollars each year, a growing number of organisations are adopting Domain-based Message Authentication, Reporting & Conformance (DMARC) in an effort to protect themselves and their customers from fraudsters.
Adoption of DMARC has steadily gained traction, and more than 70% of all email inboxes worldwide support this standard for detecting identity-based fraudulent email attacks. The email authentication protocols at the heart of DMARC, first introduced in 2012, have proven extremely effective at stopping billions of email attacks from ever reaching their targets.
But that’s only when it’s done right. Unfortunately, there are a number of myths about DMARC that could hinder deployments and undermine efforts to thwart attacks. Let’s debunk five of the most prevalent:
Myth #1: Deploying DMARC is Easy
Makes sense, right? After all, getting started with DMARC only requires publishing a DMARC record to your DNS, after which you receive immediate visibility into your email sending environment. In addition to reporting, DMARC also acts as the policy layer for email authentication technologies already widely in use, including Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). Visibility, reporting, and policy enforcement all with a simple DNS record seems pretty easy, and in fact it can be… but the devil is in the details.
DMARC reports (in the form of raw XML) can be difficult to parse and more importantly, difficult to correlate sending IP addresses with the actual organisations that send on your behalf. Most organisations are surprised to discover how complex their email ecosystem is—especially for those with thousands of domains across multiple geographies and countless third-party partners. And because authenticating your email with SPF and DKIM has to be done before any policy actions can be implemented, knowing who to contact at which email service provider is the necessary first step in implementing DMARC. This is often the hardest step, which is why Email Cloud Intelligence in Agari Brand Protection maps sending IP addresses to the email service provider sending on your behalf. With this feature, it’s easy to determine who is sending email so you can take the next steps in protecting those third-party providers.
Myth #2: DMARC Prevents All Email Attacks
When configured correctly, DMARC enables receivers—either webmail providers or secure email gateways with DMARC support—to detect deceptive emails sent by attackers spoofing the domains owned by the organization. That’s true no matter who the intended target may be, correct?
When configured properly, DMARC stops phishing attacks that appear to originate from trusted domains. That makes it ideal for outbound phishing protection because the organisation sending email controls its implementation. But it can also mitigate certain threats found in inbound traffic—at least as part of a multi-layered approach to email security. However, based on multiple independent studies, the overall number of attacks using “owned domain spoofing” as an attack vector is in the low double digits of percentage and decreasing. More than 80% of spear phishing attacks leverage Display Name Imposters (DNI), either brand or individuals, and DMARC provides no defence against that. Additionally, DMARC doesn’t protect against look-alike domain spoofs or compromised accounts. In all of these cases, additional protection is needed to prevent phishing emails from hitting the inbox.
Myth #3: Establishing a DMARC Record Means You’re Protected
The good news is that DMARC is supported by 2.5 billion email boxes worldwide, and more are joining these ranks every day. By establishing a DMARC record, email senders can help receivers spot spam that’s impersonating an organization known to be DMARC protected. So aren’t you good to go?
Not quite. Yes, a DMARC record enables senders and receivers to exchange data that can help them spot scams. But it does nothing to enforce any policies on its own. For that, organisations must specify in their record whether unauthenticated emails should be quarantined in a junk folder or rejected outright. The bad news is that most organisations have a DMARC policy of p=none, including 44% of the Fortune 500. In fact, of the top organisations in the United States, only 12% are completely protected with a policy of p=reject. Remember, DMARC is both a reporting standard as well as a policy enforcement standard. Visibility is a great first step to understanding your email sending environment, but enforcement needs to fast follow to ultimately protect your organisation and your brand.
Myth #4: DMARC is Only Needed for Domains That Send Email
With DMARC properly set and appropriate enforcement policies activated for the domains from which they send email, organizations have everything they need to effectively monitor email and make informed security decisions, correct?
Any domain can be impersonated, so it is not just a matter of locking down the domains that currently send email. Every domain you own should be protected by DMARC to make sure email receivers can assess whether incoming messages purporting to come from any of your domains are authentic. Brand protection that only covers some domains isn’t really brand protection at all, as the attackers will quickly move to other domains that look or sound like you.
Myth #5: DMARC is All You Need
DMARC is awesome: Get your domains locked down, set your policies, and enjoy a drop-the-mic moment, right?
Setting up DMARC is just the beginning. How will you ensure enforcement throughout the email ecosystem? What happens if your marketing team signs up another vendor to send email on your behalf? What if somebody registers a new domain or sub-domain as part of a new email marketing campaign? How will you use data from all your email streams to gain visibility into fraud tactics and fight active threats as they emerge? If “eternal vigilance is the price of liberty” then continuous monitoring of your email ecosystem is the price of a 100% safe and secure brand. Fortunately Agari has been in this market longer than any other vendor and our track record of success with the world’s largest brands proves we are the best at it.
Myth-busting aside, it’s unclear how many organisations will use DMARC to its full potential. Still, when you consider that 94% of successful breaches start with email, we should all hope a growing number decide that doing DMARC right is worth it.