Blog Article
20 September 2022 | 8 Minutes Read

Effective DMARC Deployment for Defeating Cyber-criminals

DMARC, a relatively new technology standard at just 10 years old, delivers tangible security protection against cybercriminals but requires effective deployment.

When the outcome is not as expected, and the promise of the technology not realised, there is often frustration, anger and resentment.

And rightly so, even more so with DMARC deployments. However, it’s not the technology, it’s what hasn’t been done with it that is most likely the cause of the problem. Don’t be mad at the technology, be mad that it hasn’t been implemented correctly.

All technology is not created equal; there are different standards, protocols and best practice aplenty. Businesses need to engage with people who are qualified and experienced with configuring and implementing a specific technology.

Technology done right delivers

Using a provider that is classed as a DMARC (Domain-based Messaging Authentication Reporting & Conformance) expert will ensure that the implementation is done correctly and fully, and organisations can be confident that the full protection benefits and compliance of the DMARC technology standard will be delivered.

DMARC, a relatively new technology standard at just 10 years old, delivers tangible security protection against cybercriminals.

However, for many organisations the full benefits of DMARC are not being realised and this state of affairs can be directly attributable to incorrect or incomplete implementation and configuration.

DMARC involves the configuration of three sets of inter-related standards and protocols – SPF, DKIM and DMARC, as well as consideration of the wider email security environment; including for example a company’s anti-spam software. All these technology pieces of the email security puzzle are complementary and must work in harmony.

There are no short cuts to reaching the desired DMARC policy of “reject”.

Errors made in the analysis, configuration, set up, or implementation stages can render DMARC less effective than its real protection capability.

When businesses that have taken the decision to implement DMARC continue to be the target of cyber criminals employing all sorts of spoofing and phishing attacks for fraudulent gain, they rightly become frustrated and immediately look to fault the technology. DMARC hasn’t lived up to its promises, and they immediately deem it ineffective. This is very far from the truth.

Know your score

When things go wrong

DMARC as a standard is not faulty. At fault is an incorrect, flawed or partial implementation.

The fact is that when DMARC is configured correctly and policies set up correctly, organisations will have the highest level of protection from cyber criminals who seek to use email as a weapon to defraud them.

Businesses should not think that implementing DMARC is a quick fix that involves simply turning on a setting. It requires methodical, systematic and thorough analysis and planning. With a DMARC implementation the detail is everything. This is why every employee at Sendmarc is fully focused on DMARC.

Excellence in implementation requires expert engineers

Every Sendmarc engineer is entrenched in the technology and its inter-relationships with all software touching the email environment at any time, in order to enable organisations to achieve the strongest email security credentials. When Sendmarc is implementing DMARC at a company it follows a proprietary methodology that is robust and highly detailed. It is confident of its DMARC success credentials and offers all companies a guarantee of achieving a policy of reject for them within 90 days.

Sendmarc puts its money where its mouth is and does not charge a client if this guarantee isn’t delivered, and with over 500 clients none have had reason to invoke the guarantee.

Sendmarc has the guarantee in place because it has highly specialised skilled engineers with in-depth understanding of the syntax of all protocols and standards across the email security environment, and understands and has experience of the most complex email environments and all technologies that touch it.

DMARC providers who are not familiar and entrenched in the protocol day in and day out, as well as the intricacies and inter-relationships of the entire email environment and all its working parts, are likely to run into implementation difficulties.

Poor implementations are a cybercriminal’s dream

Over the past couple of months, in conversations with many businesses, Sendmarc has heard first-hand of the frustration and lack of confidence in DMARC that some are feeling. The decision to implement DMARC is most definitely the right one, but they have lost faith in DMARC, because they are still receiving spoofing and phishing attacks from cybercriminals hijacking their domain name and impersonating them, and are having legitimate emails blocked which is severely affecting their productivity. There are a number of reasons this may be happening, but what is safe to say is that it is not DMARC as a technology standard that is at fault.

Knowing the robustness of DMARC as a technology standard, and knowing that the internet becomes a safer place with every additional company that has DMARC (correctly implemented and at a policy of reject), Sendmarc looked into the implementations at these companies to find out why they were not experiencing the security promise.

The effectiveness of DMARC lies with its correct configuration and implementation. If the implementation is flawed, organisations will continue to be plagued both by spoofing and phishing attacks as well as the disruption of the seamless delivery of legitimate mail.

When the email environment continues to be disrupted by cybercriminal attacks or deliverability issues, it is typically because whoever has implemented DAMRC either:

  • Lacks the required knowledge and understanding of the inter-relationships of DMARC, SPF, DKIM and anti-spam, resulting in incorrect implementation and impersonators to continue to hijack the company’s name, and names of employees to commit fraud
  • Hasn’t take into consideration the entire email environment, including third party senders and domain and sub-domain names, so a company is still susceptible to cybercriminals and email continues to be used a weapon to conduct phishing and spoofing attacks
  • Has not correctly analysed, planned or monitored the environment and set the appropriate policy in a staged manner causing legitimate email to be blocked

Sendmarc has a customer base of all sizes from large international corporations, to enterprises operating in specific regions, and small and medium sized businesses with national footprints.

There are no short-cuts: typical implementation errors

Across this customer base it has seen a number of implementation errors that have left organisations in a position where they are not receiving the highest security and compliance benefits of DMARC and improved email deliverability. The reasons for this are:

  1. The absence of DMARC alignment. Alignment is associated with SPF and DKIM and without it emails cannot pass DMARC.
  2. Not taking into consideration ALL a company’s registered domain and sub-domain names, both active and dormant. Unless all domain names are protected with SPF, DKIM and DMARC the company will not be protected and continue to be at risk.
  3. Omitting third party email senders because stakeholders from across the business are not consulted. Many departments, for example marketing, sales, HR – make use of third party email senders and all need to be accounted for to avoid legitimate emails being blocked
  4. Organisations immediately setting their DMARC to a policy of reject is another mistake being made. This causes significant deliverability issues because valid emails are blocked. Reaching a policy state of reject is systematic process to ensure there is no disruption to the receiving of legitimate business email.
  5. There is no consideration of maintaining and managing DMARC after a policy of reject is reached, and therefore no reporting address is provided, leaving organisations blind to authentication failures or potential impersonation attacks

Identifying why DMARC is failing can be completely avoided by choosing a DMARC provider with the required specialist skills and DMARC dedicated engineers.

All businesses should make the decision to implement DMARC if they haven’t done so already. If you do not believe you are susceptible to cyber criminals whose weapon of choice is email, you can take Sendmarc’s online analysis to learn the true state of your email security. It takes less than five minutes and uses a sophisticated and highly accurate algorithm to calculate your security score.

If governments around the world, including the US, UK, Australia, New Zealand, Canada, and The Netherlands are recommending and implementing DMARC as part of their arsenal of cyber security measures to protect themselves and their citizens from cyber criminals using email for fraudulent purposes, you can be confident it is a robust technology.

But DMARC, like most technology is only as effective as its implementation.

Know your score
Know your score

Everyone is at risk from email fraudsters. How secure is your brand name from email scammers?