What DMARC Can (& Can’t) Do for Domains

DMARC

Every domain should implement DMARC; it solves many email security problems. However, like all solutions, it has some limitations. It can’t completely protect domains from every type of phishing scheme or social engineering attack.

As an open Internet protocol, DMARC is very cleared defined. It is a powerful tool for protecting brand identity. However, if it is misunderstood, it could lull businesses into a false sense of security. Here’s exactly what DMARC can and can’t do for your domain:

DMARC CAN…

1. … Show Who is Sending From Your Domain

DMARC has 2 functions. The first is reporting, which allows domains using DMARC to receive reports that list all the email transmitters and which emails passed or failed authentication. There’s a lot of information in DMARC reports. To help make sense of all this data, Fraudmarc provides free DMARC report analysis.

2 . … Help You Set Up DKIM and SPF

DMARC reports provide a ton of data about emails sent from a domain. This information is key to configuring SPF and DKIM to accurately reflect how a domain sends email. The reports allow businesses to monitor their email flow as they make changes to their SPF and DKIM. Without the reports, it is very difficult to tell whether these changes are improvements.

3. … Control How Unauthenticated Email is Handled

The second function of DMARC is controlling unauthenticated emails through the use of the 3 DMARC policies. A domain’s DMARC policy instructs the email-processing ISP (Inbox Service Provider) on how the domain owner wants unauthenticated emails dealt with.

4. … Protect Your Outbox

DMARC Reject is the highest level of protection that DMARC offers, blocking all unauthenticated email. Under a Reject policy, authenticated email is delivered, while spoofed email is blocked. In other words, DMARC allows domain owners to automatically reject email that they have not authorized through SPF and/or DKIM. This is exactly the control businesses need in order to protect their brands, customers, and employees from spoofed emails.

5. … Improve Deliverability

Most of the large ISPs ( e.g., Google, Microsoft, Yahoo) want to see email authentication adoption increase. Properly authenticated email can perform 5-10% better than unauthenticated email.

DMARC CAN’T…

1. … Make You Use a Strong Password

It will not change your password or make you use a secure password. If someone hacks into your email account and sends phishing email, those are not spoofed emails even if they are malicious phishing emails. DMARC can’t stop these emails- that’s on you and your weak password.

2. … Roll DKIM Keys or Update SPF

Once you reach Reject, your domain is secured against spoofed email. You still need to keep your SPF record up-to-date and change your DKIM keys regularly. SPF records change; your SPF record needs to reflect changes to include SPF records or changed senders. In addition, DKIM keys can be broken. The longer you use a key, the more likely it becomes that someone has cracked your key’s encryption. DMARC will keep generating reports and enforcing your DMARC policy, but you need to maintain your other policies, or your security will begin to silently crumble. Fraudmarc offers tools that make maintaining all of these policies easier.

3. … Replace a Firewall

DMARC can’t replace firewalls; it secures your email by controlling the use of the domain name. Firewalls monitor the data exchanged between your computer and the internet to make sure it’s not malware.  If an attacker can gain access to your computer or your email account using malware, he can send authenticated emails. Relying on DMARC without a firewall is like locking your window but leaving the door open. It just doesn’t make sense.

4. … Protect Your Inbox

DMARC protects your outbox, but you can still receive phishing emails that spoof other domains. There’s a difference between the target of phishing attacks, the company that is spoofed, and the victims, recipients of the spoofed email. DMARC prevents your company from becoming the target, not the victim. Don’t forget how to identify a phishing email in your inbox. To help with this, Fraudmarc shared some tips in our post about phishing attacks and tax-related services providers.

5. … Stop Phishing Schemes That Are Not Spoofed

Each domain needs its own DMARC policy since DMARC is domain-specific, not company-specific. A company that owns 100 domains should manage 100 DMARC policies. Every domain needs a DMARC policy, even those that don’t send email. In addition, cousin domains (e.g., paypal.com and paypa1.com) are often used for phishing attacks. DMARC can’t stop these emails because a cousin domain is a distinct domain. The best way to deal with cousin domains is to own and secure them.

Similarly, DMARC can’t block emails that “say” they are from your company with an email address that doesn’t match your domain. Anyone can change the text that’s next to the from address. Usually, that says the name of the person or company sending the email, but it can say anything. Since DMARC evaluates the domain name in the from address, it will not stop these emails.

DMARC is … Powerful but Limited

Understanding what DMARC can and can’t do helps businesses effectively use it in combination with other security tools. DMARC doesn’t stop all phishing schemes or protect against every email vulnerability, but it is a powerful tool that can block all spoofed emails and increase deliverability.

Fraudmarc Can Help

Part of Fraudmarc’s mission is to secure every domain with DMARC. We offer plans and tools, including SPF CompressionSM, Email Security Score checking tool, and multiple ESP validation tools. Our app allows businesses to manage and maintain their SPF, DKIM, and DMARC policies and monitor DMARC reports.

For tips on implementing DMARC, see our post on how to implement a reject policy. If you want more hands-on assistance with this process, we are here to help!

Menu