Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
Valimail blog

If DMARC is so great, why isn’t everyone doing it?

Author: Valimail
Idea, learning, technology

Almost 90% of email attacks are based on fake sender identities, either of brands (83%) or individuals (6%), according to recent research. One type of  impersonation — what is known as exact-domain impersonation — occurs when scammers use a domain in the “From” field of the message that is actually owned by the organization they’re impersonating. But this type of impersonation can be stopped by email authentication.

Email authentication — verifying that an email really does come from the domain it says it comes from — is based on widely accepted standards. Over 80% of email inboxes worldwide will do authentication checks to validate that the sender is allowed to use the domain in the “From” field. There’s just one catch: For domain owners, getting it right is technically difficult.

The cornerstone standard for email sender identity authentication is DMARC (Domain-based Message Authentication, Reporting & Conformance). DMARC is a technical specification that effectively stops exact-domain phishing attacks by preventing unauthorized use of a domain in the “From” address of email messages. DMARC has been embraced by major consumer mailbox providers, including Gmail, AOL, Microsoft, and Yahoo Mail. In fact, more than 5 billion consumer mailboxes worldwide (and 100% of major U.S. consumer mailboxes) respect the DMARC standard, according to Valimail’s Email Fraud Landscape.

What makes it so difficult to implement DMARC?

The details of implementing DMARC are not widely understood. It contains some subtleties that many messaging pros are not familiar with. What’s more, it relies on two other standards, SPF and DKIM, which are themselves tricky to implement and error-prone. The specs are tricky and tedious for most companies to implement.

DMARC poses a particular challenge for small and midsize companies, who do not have the IT resources or depth of messaging experience to learn about the trio of standards it comprises and ensure that they are implemented correctly. But we have found that it’s not just small companies that have trouble implementing DMARC correctly. Even large organizations have run into trouble.

For instance, Alibaba.com has implemented DMARC, but is not actually enforcing authentication, and therefore has not used authentication to block the recurring phishing attacks it has been encountering. That’s because it has been using DMARC in the p=none configuration for several years — which means DMARC has been set up, but it’s not turned on. Click here to check Alibaba.com’s DMARC status using our free, instant domain checker, which pulls data from publicly available DNS records for that domain.


We’re not singling out Alibaba, as many other organizations face exactly the same problems. Plug your favorite domains into our DMARC and SPF validation tool to find out how they fare.


 

For instance, DMARC relies on two other email authentication standards, SPF and DKIM. However, an email message that successfully validates on SPF and DKIM might still fail DMARC authentication. That’s because DMARC requires the SPF and DKIM addresses to be “aligned” with the human-readable “From” address — an important step if you’re going to prevent fraud. In cases where SPF or DKIM authenticates with an identity whose domain doesn’t match the domain in the human-readable “From” address, the non-matching authentication result is simply discarded, and the message will fail DMARC authentication.

Often companies are reluctant to move DMARC to an enforcement policy (p=reject or p=quarantine) because they have significant SPF configuration issues that they must first resolve. If you move to DMARC enforcement but still have SPF problems, you run the risk of blocking “good” email by accident.

The SPF lookup limit creates problems for authentication

Another problem is the SPF lookup limit. As part of evaluating whether an email message passes SPF authentication, a receiving mail server may have to make one or more DNS lookups. To prevent denial of service attacks, only the first 10 of those DNS lookups are evaluated. Companies whose SPF records include more than 10 lookups will run into trouble, because messages may fail authentication if the indicated domain appears too late in the list.

To work around this limitation, many messaging administrators hard-code IP addresses into their SPF records. But that is another fragile solution, because it is easy to mis-type IP addresses, these addresses are not easily readable by humans, and servers’ IP addresses may change.

What’s more, maintenance is an issue — keeping server addresses up to date, for instance, and refreshing DKIM encryption keys on a regular basis.

Overcoming the DMARC learning curve

If the learning curve is too daunting, the Valimail platform can greatly simplify the process of setup, configuration, and ongoing maintenance of your DMARC authentication.

Whether you choose to implement DMARC yourself or outsource it to Valimail, you need to familiarize yourself with the standard and the importance of authenticated email. The future of authenticated email is coming. The question is how quickly you can get ready for it.

Valimail provides a wide range of resources on DMARC and email authentication, but a good place to start is this 90 second video on the DMARC process and where many people get blocked:

For more information, please see these additional resources:

  • So you’ve started a DMARC record… now what? [EBook]
  • Operationalizing Email Authentication: A Systematic Approach to Email Authentication [White Paper]
  • DMARC for Email Service Providers (ESPs) [FAQ]
Back to blog
Published August 30, 2019
  • DMARC
  • Email
  • Email Authentication
Author: Valimail
Valimail is the global leader in zero-trust email security. The company’s full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance; they are used by organizations ranging from neighborhood shops to some of the world's largest organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the U.S. Federal Aviation Administration. Valimail is the fastest growing DMARC solution, with the most domains at DMARC enforcement, and is the premier DMARC partner for Microsoft 365 environments. For more information visit www.valimail.com.
Resources
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Preparing for BIMI: A Marketer’s Guide
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Valimail Research Finds More Than 1 Million Domains Using Crucial Email Aut...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

1550 Larimer Street
Suite 271
Denver, CO 80202

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Do not sell my personal information
  • Website terms of use
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers