Aug 30, 2019

If DMARC is so great, why isn’t everyone doing it?

iStock-864458910-920×517-c-default

Almost 90% of email attacks are based on fake sender identities, either of brands (83%) or individuals (6%), according to recent research. One type of  impersonation — what is known as exact-domain impersonation — occurs when scammers use a domain in the “From” field of the message that is actually owned by the organization they’re impersonating. But this type of impersonation can be stopped by email authentication.

Email authentication — verifying that an email really does come from the domain it says it comes from — is based on widely accepted standards. Over 80% of email inboxes worldwide will do authentication checks to validate that the sender is allowed to use the domain in the “From” field. There’s just one catch: For domain owners, getting it right is technically difficult.

The cornerstone standard for email sender identity authentication is DMARC (Domain-based Message Authentication, Reporting & Conformance). DMARC is a technical specification that effectively stops exact-domain phishing attacks by preventing unauthorized use of a domain in the “From” address of email messages. DMARC has been embraced by major consumer mailbox providers, including Gmail, AOL, Microsoft, and Yahoo Mail. In fact, more than 5 billion consumer mailboxes worldwide (and 100% of major U.S. consumer mailboxes) respect the DMARC standard, according to Valimail’s Email Fraud Landscape.

What makes it so difficult to implement DMARC?

The details of implementing DMARC are not widely understood. It contains some subtleties that many messaging pros are not familiar with. What’s more, it relies on two other standards, SPF and DKIM, which are themselves tricky to implement and error-prone. The specs are tricky and tedious for most companies to implement.

DMARC poses a particular challenge for small and midsize companies, who do not have the IT resources or depth of messaging experience to learn about the trio of standards it comprises and ensure that they are implemented correctly. But we have found that it’s not just small companies that have trouble implementing DMARC correctly. Even large organizations have run into trouble.

For instance, Alibaba.com has implemented DMARC, but is not actually enforcing authentication, and therefore has not used authentication to block the recurring phishing attacks it has been encountering. That’s because it has been using DMARC in the p=none configuration for several years — which means DMARC has been set up, but it’s not turned on. Click here to check Alibaba.com’s DMARC status using our free, instant domain checker, which pulls data from publicly available DNS records for that domain.


We’re not singling out Alibaba, as many other organizations face exactly the same problems. Plug your favorite domains into our DMARC and SPF validation tool to find out how they fare.


For instance, DMARC relies on two other email authentication standards, SPF and DKIM. However, an email message that successfully validates on SPF and DKIM might still fail DMARC authentication. That’s because DMARC requires the SPF and DKIM addresses to be “aligned” with the human-readable “From” address — an important step if you’re going to prevent fraud. In cases where SPF or DKIM authenticates with an identity whose domain doesn’t match the domain in the human-readable “From” address, the non-matching authentication result is simply discarded, and the message will fail DMARC authentication.

Often companies are reluctant to move DMARC to an enforcement policy (p=reject or p=quarantine) because they have significant SPF configuration issues that they must first resolve. If you move to DMARC enforcement but still have SPF problems, you run the risk of blocking “good” email by accident.

The SPF lookup limit creates problems for authentication

Another problem is the SPF lookup limit. As part of evaluating whether an email message passes SPF authentication, a receiving mail server may have to make one or more DNS lookups. To prevent denial of service attacks, only the first 10 of those DNS lookups are evaluated. Companies whose SPF records include more than 10 lookups will run into trouble, because messages may fail authentication if the indicated domain appears too late in the list.

To work around this limitation, many messaging administrators hard-code IP addresses into their SPF records. But that is another fragile solution, because it is easy to mis-type IP addresses, these addresses are not easily readable by humans, and servers’ IP addresses may change.

What’s more, maintenance is an issue — keeping server addresses up to date, for instance, and refreshing DKIM encryption keys on a regular basis.

Overcoming the DMARC learning curve

If the learning curve is too daunting, the Valimail platform can greatly simplify the process of setup, configuration, and ongoing maintenance of your DMARC authentication.

Whether you choose to implement DMARC yourself or outsource it to Valimail, you need to familiarize yourself with the standard and the importance of authenticated email. The future of authenticated email is coming. The question is how quickly you can get ready for it.

Valimail provides a wide range of resources on DMARC and email authentication, but a good place to start is this 90 second video on the DMARC process and where many people get blocked:

For more information, please see these additional resources:

Subscribe to our newsletter