So, why haven’t you properly set up DMARC yet?

Are you risking your business’s reputation and security by ignoring DMARC – or by not having it set up correctly?

Cyber threats continue to rise and securing your email infrastructure should be a top priority for your business. Every day, an estimated 3.4 billion spam emails are sent, making phishing the most common form of cybercrime. The average data breach costs an organization over $4 million. Implementing DMARC is one of the most effective ways to protect your business from these dangerous attacks.

The race to adopt DMARC kicked into high gear in early 2024 when Google and Yahoo announced new requirements for bulk email senders to have a valid DMARC record. This shift has accelerated DMARC adoption worldwide. According to data from DMARC provider Valimail, by the end of February 2024, more than half a million of the top 10 million domains had published a DMARC record – and this trend looks set to only ramp up.

However, not all DMARC policies offer equal protection. While Google and Yahoo allow a “p=none” policy – the weakest DMARC setting – this alone is not enough to fully protect your domain.

If you’re a domain owner without DMARC, or if you’re using the “p=none” policy, you’re missing a vital layer of defense. Now is the time to take action and secure your business- so, what’s holding you back?

In this article, we’ll discuss why DMARC is essential, how it can safeguard your business, and why adopting a strong policy should be high on your cybersecurity to-do list.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol designed to protect domain owners from email spoofing. This protocol allows domain owners to specify which mechanisms are used to authenticate email messages and what to do with those that fail to pass authentication checks. When implemented correctly, DMARC can help:

• Protect your brand.
• Reduce the risk of phishing attacks.
• Improve your email deliverability.

DMARC relies on two other protocols, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), to verify the legitimacy of incoming emails. SPF records define which servers and domains are authorized to send emails on your behalf. DKIM adds a digital signature to outgoing emails, verifying that the sender is legitimate.”

SPF and DKIM work in isolation from each other, and it is quite a lot of work to deploy both protocols correctly at the same time. This means that some authentic, legitimate emails may slip between the cracks and still end up in spam folders. Now, this is exactly is where DMARC comes in.  

DMARC combines SPF and DKIM to make email authentication smoother and more effective. A large improvement of DMARC, compared to SPF and DKIM, is that this protocol shows automated aggregate and failure reports about all outbound emails to domain owners. This helps you keep track of all outgoing email flows and makes it easier to catch a potential abuse attempt.

Why DMARC matters

Cybercriminals are becoming more sophisticated, and email phishing attacks continue to be one of the most common methods for infiltrating organizations. If someone is spoofing your domain, they can send fraudulent emails that appear to be from your company. This could lead to severe consequences, such as:

• Reputation damage: If recipients receive spam or malicious emails that appear to be from your company, it can damage trust in your brand.
• Phishing attacks: Cybercriminals often use spoofed emails to deceive recipients into revealing sensitive information, such as login credentials or financial details.
• Loss of customer trust: Customers may stop engaging with your emails altogether if they suspect your domain is being used for fraudulent purposes.
• Financial loss: Phishing attacks often result in financial losses, whether through direct fraud or the costs associated with resolving the aftermath of an attack.

Moreover, not having DMARC properly configured may also mean that your emails will no longer be delivered as usual, ending up instead in your customers’ spam boxes – or no longer being delivered at all.

DMARC verifies that emails from your domain are legitimate, protecting your brand and ensuring smooth email delivery.

Addressing common doubts around DMARC implementation

Despite its benefits, many domain owners are hesitant to set up DMARC. Here are some of the common reasons and why they shouldn’t hold you back:

1. Perceived complexity: DMARC may seem complex, especially if you’re not familiar with email authentication protocols. Changing DNS records and dealing with complicated aggregate reports are challenges that hold many people back. However, with the right tools and resources, implementing DMARC can be straightforward. You don’t need to be a cybersecurity expert to get started. Tools like EasyDMARC offer user-friendly interfaces and support to guide you through the process.
2. Fear of misconfiguration: Setting up DMARC incorrectly can indeed lead to issues, such as legitimate emails being marked as spam. This is why it’s essential to implement DMARC in “monitoring” mode first before moving up to a stricter policy. This mode allows you to observe how your emails are being handled without affecting your email flow, giving you time to fine-tune your settings before moving to enforcement.
3. Believing that it’s unnecessary: Some businesses believe that DMARC is only for large corporations or high-profile domains. However, every domain owner, regardless of size, can benefit from DMARC. In fact, cybercriminals often target small and medium-sized businesses, assuming they have fewer security measures in place.

How do you get started with DMARC?

If you haven’t set up DMARC yet, now is the time to take action!

To add a DMARC record, you will need to manually set up the DMARC CNAME or TXT record in your domain’s DNS zone. Out of these two options, we strongly recommend adding a CNAME record, which is a simpler process. Adding a TXT record takes more manual work, but you may prefer adding a TXT record in some cases.

You can find detailed instructions on setting up the DMARC CNAME or TXT record on the website of the Global Cyber Alliance.

As soon as you have added the DMARC CNAME or TXT record to your domain’s DNS zone (either automatically or manually), you will start receiving aggregate and failure reports by email. In general, it will take 4-6 weeks before you have gathered enough data for you to start tailoring it to your needs and basing decisions in your email strategy on the results.

Which DMARC policy should you choose?

To set up DMARC after you add the DMARC record to your domain, you need to choose the right policy for you. Your DMARC policy allows you to indicate that your outgoing email messages are compliant with SPF and DKIM, and to tell receiving email clients what to do with unauthenticated emails that appear to come from your domain. You can set up DMARC with three different policies: monitoring (p=none), quarantine (p=quarantine), and reject (p=reject).

The monitoring policy (p=none) is the entry-level DMARC policy. If you have this policy enabled, DMARC will simply monitor your sending sources without taking action regarding illegitimate emails. Unauthorized emails from your domain can therefore still end up in your contacts’ inboxes. However, you can analyze the data and find out who or what is sending these emails from your domain.

The quarantine policy (p=quarantine) is the next “step” on the ladder. This policy will automatically redirect unauthorized messages from your domain to the receivers’ spam boxes.

Finally, enabling the reject policy (p=reject) will tell receiving email clients to prevent all messages that come from unauthorized sources from being delivered. In this case, unauthorized messages from your domain will not even end up in spam boxes. They will simply never arrive in your contacts’ mailboxes.

When you are starting to use DMARC, we recommend you start with the monitoring policy. Many beginners jump straight to the reject policy. Of course, no one wants any spam that comes from their domain to end up in their customers’ mailboxes. However, in most cases, this policy will also reject legitimate and important emails from your side, as you have likely not configured your email well when you are just starting out. We therefore recommend starting with the monitoring and quarantine policies and slowly working your way up to reject, while carefully analyzing the data that you receive through DMARC’s aggregate reports. 

However, it’s important not to stay at the monitoring policy (p=none) longer than necessary. While DMARC may be technically “enabled” with p=none, this setting doesn’t stop unauthorized emails from being delivered. Fraudulent emails can still land in your customers’ inboxes, which is exactly what you want to avoid. This policy is a good starting point to monitor your email activity, but it doesn’t provide full protection. As soon as you’ve gathered enough data, you should move to a stronger policy like p=quarantine or p=reject to protect your domain from phishing, spoofing, and other email-based attacks.

Not sure? Start with EasyDMARC!

For domain owners seeking an easier way to implement DMARC, EasyDMARC is here to help. This easy-to-use tool simplifies the full process of setting up and managing DMARC, from creating and managing DMARC records to monitoring aggregate and failure reports and providing actionable insights.

Don’t let perceived complexity, fear of misconfiguration, or lack of awareness keep you from securing your email domain. Setting up DMARC is a straightforward way to enhance your cybersecurity posture, protect your brand, and build trust with your customers.

Don’t delay – protect your business and your customers by setting up DMARC today!