If you use any of the major email providers, chances are you also have in place an anti-spam tool in place – such as Office 365 Exchange Online Protection, SYNAQ Securemail or Symantec Mail Security. Although there are slight differences between them, all anti-spam tools work in the same basic way: they filter out spam email at the mail server level, before it even reaches your email client.
If you have an anti-spam tool in place, you may then be wondering: is it necessary to have a DMARC compliance tool like Sendmarc active on your domain as well? (If you’re not familiar with what DMARC compliance is, get an understanding of why it’s important here).
The answer to this is yes – it’s prudent to have both. While anti-spam tools may prevent spam emails from getting to your inbox, they won’t prevent someone from impersonating your domain and sending an email purporting to be from you. As IBM’s Security report from 2019 found, a data breach is likely to have a far bigger cost to a company than simply not receiving spam.
If you’re not familiar with this form of fraud, domain impersonation – also known as phishing – is when an unauthorised external party gains access to your domain and is able to send and receive email from it. In this way, they’re able to access sensitive data and even funds from your organisation, for example if they were to send out a fraudulent invoice containing their own banking details from your email address.
In essence, the biggest threat to email security is not spam – it’s domain impersonation.
If you only have an anti-spam tool on your email server, this kind of fraudulent mail that is sent to or received from legitimate contacts such as your customers or suppliers, won’t be caught in your spam filter. In this way, phishing emails bypass the anti-spam mechanism on your domain altogether. Anti-spam protection therefore doesn’t extend beyond the wall that you build around your company.
The damage that can stem from impersonation outside your organisational walls can make it back into your company in two main ways:
- Financially: Customers can pay invoices to phishers that were meant for you
- Reputationally: A customer who receives malware via an email from your domain is likely to remember this in future, which can damage your future relationship with them.
With DMARC compliance, you’re able to protect your organisation from these potential phishing risks. Each time a server receives a mail from your domain, a tool like Sendmarc will check the DMARC policy of the sender of the email. This is true regardless of where in the world that mail came from, and whether the sending infrastructure is yours or that of a hacker. With this check in place, any mail that doesn’t come from a legitimate source will be rejected.
This means that the protection that you have in place extends to anyone your organisation is interacting with externally, including customers, suppliers, or another external party.
Anti-spam tools have been around for a long time, and they’re certainly effective at filtering out emails that aren’t legitimate. However, when it comes to domain impersonation, the costs to a company are far more serious than being a mere inconvenience of having your inbox clogged up. For this reason, even if you have an anti-spam tool on your domain, a DMARC compliance is crucial in protecting your organisation financially and reputationally. In short, DMARC adoption is the duty of any responsible business citizen, whether you’re a small business, an SME or a large corporate.