You’ve likely heard about DMARC before, but do you need a DMARC record? Is DMARC necessary, and if so, why aren’t more people using it? The truth is that DMARC improves email security and deliverability, but implementing it is more complex than it should be, leading to complications.
Almost 90% of email attacks are based on fake sender identities, either of brands (83%) or individuals (6%). Exact-domain impersonation occurs when scammers use a domain in the “From” field of the message that is actually owned by the organization they’re impersonating.
Fortunately, this type of impersonation can be stopped by email authentication.
Email authentication—verifying that an email really does come from the domain it says it comes from—is based on widely accepted standards. Over 80% of email inboxes worldwide do authentication checks to validate that the sender can use the domain in the “From” field.
There’s just one catch: For domain owners, getting it right is technically challenging.
Domain-based Message Authentication, Reporting & Conformance (DMARC) is the cornerstone standard for email sender identity authentication. Major consumer mailbox providers, including Gmail, Microsoft, and Yahoo Mail have embraced DMARC.
DMARC is a technical specification that effectively stops exact-domain phishing attacks by preventing unauthorized use of a domain in the “From” address of email messages.
Why is DMARC important?
While there can be multiple domains associated with an email message, the domain in the visible From header is the only one that’s likely to be seen by the person receiving the message. When you implement DMARC successfully, you’re deploying the most effective tool available to domain owners to prevent unauthorized usage of their domain in that header. A DMARC deployment with a policy at enforcement can mean two very important things to the domain owner.
First, when DMARC is deployed, recipients of emails using the authenticated domain can trust that the message really came from the domain owner. When recipients trust email, they tend to engage with it more frequently and positively.
Second, with a DMARC deployment, the domain owner can earn proper credit for following best-sending practices because mailbox providers can reliably attach their reputation to the authenticated domain. When a domain owner follows best-sending practices with DMARC authentication, that domain owner tends to see its email land in the inbox more frequently, giving its recipients more chances to engage positively with the message.
What makes implementing DMARC so difficult?
The details of implementing DMARC are not widely understood. It contains some subtleties that many messaging pros are not familiar with. It relies on two other standards, SPF and DKIM, which are tricky to implement and error-prone.
DMARC poses a particular challenge for small and midsize companies that don’t have the IT resources or depth of messaging experience to learn about the trio of standards it comprises (much less ensure they are implemented correctly). However, we’ve found it’s not just small companies that have trouble implementing DMARC correctly—even large organizations run into trouble.
For instance, Alibaba.com has implemented a DMARC record but is not actually enforcing authentication and therefore has not used authentication to block the recurring phishing attacks it has encountered. That’s because it has been using DMARC in the p=none configuration for several years—which means DMARC has been set up, but it’s essentially not turned on.
Click here to check Alibaba.com’s DMARC status using our free, instant domain checker, which pulls data from publicly available DNS records for that domain. We’re not singling out Alibaba, as many other organizations face the same problems. Plug your favorite domains into our DMARC and SPF validation tools to find out how they fare.
Here are a few reasons implementing DMARC proves tricky.
1. SPF and DKIM alignment
For a message to pass DMARC validation, that message must first pass either SPF or DKIM, but with an added twist – the domain used in the SPF or DKIM validation check must be aligned with the domain in the visible From header.
This means that it must at least be in the same name hierarchy, if not identical, to qualify for a DMARC pass. For example, a message with a visible From header domain of “yourbank.com” but SPF and DKIM domains of “badguy.com” and “phishingyou.com” would fail DMARC even if SPF and/or DKIM passed because those domains do not align with “yourbank.com”.
This requirement for alignment is most challenging for domain owners that employ third-party senders to send an email on their behalf because those third-party senders, by default, will use their domain names for SPF and DKIM rather than their customers’ domains. However, there are known ways to ensure domain alignment can happen even with third-party senders.
This might sound complicated, but Valimail simplifies this process.
2. SPF lookup limit
Another problem is the SPF lookup limit. To evaluate whether an email message passes SPF authentication, a receiving mail server may have to make one or more DNS lookups.
To prevent denial of service attacks, only the first 10 of those DNS lookups are evaluated. Companies whose SPF records include more than 10 lookups will run into trouble because messages may fail authentication if the indicated domain appears too late in the list.
Many messaging administrators hard-code IP addresses into their SPF records to work around this limitation, but that is another fragile solution. It’s easy to mistype IP addresses—they are not easily readable by humans, and servers’ IP addresses may change.
What’s more, maintenance is an issue. Keeping server addresses up to date can often cause hiccups.
Implement DMARC without the learning curve
So, do you need a DMARC record? Yes. Is DMARC necessary for everyone? Yes.
If the learning curve is too daunting, the Valimail platform can simplify the process of setup, configuration, and ongoing maintenance of your DMARC authentication.
Whether you choose to implement DMARC yourself or outsource it to Valimail, you need to familiarize yourself with the standard and the importance of authenticated email. The future of authenticated email is coming. The question is how quickly you can get ready for it.
Valimail provides a wide range of resources on DMARC and email authentication, but a good place to start is this 90-second video on the DMARC process and where many people get blocked:
If you’re interested in implementing DMARC without the hassle, the first step is to get visibility into the senders of your domain. Sign up for a free account on our Monitor platform today!