Myths and truths of DMARC
DMARC can be a confusing topic: Points of view vary greatly and there is no shortage of misinformation out there. But there are some recurring themes worth unpacking, because the same myths keep coming up again and again. We’d like to take this opportunity to sort through the truth vs. the mythology of DMARC.
Myth #1: DMARC only prevents “bad” email — it doesn’t enable “good” email.
Many people think that DMARC is only about blocking impersonations (aka spoofs, or fraudulent email). Not so long ago, this would have generally been true. However, DMARC is becoming a foundational element to many email marketing advancements. For example, DMARC is a requirement for BIMI, and it’s a foundational security component for AMP email. As mailbox providers continue to improve end-user experience, trust and authentication are key — and DMARC enforcement becomes a must-have for every email marketer.
Myth #2: DMARC is only relevant for the most prominent phishing and spoofing targets out there, like banks and the federal government.
In reality, spoofing affects everyone. According to AIG, business email compromise (an attack driven by email impersonation) has supplanted malware as the number one culprit in cyber insurance claims. Furthermore, Barracuda recently stated that over 80% of all attacks are leveraging brand impersonation as the vector. This is the specific problem that DMARC aims to solve — it’s not only a very real problem but it’s a far-reaching one. Businesses of all sizes and verticals are affected. That is why, in the last three years, the FBI has reported $26 billion in losses to BEC. Companies and domain owners of all kinds are responding to that threat by deploying DMARC — we’ve seen a 500% increase in the number of DMARC records in three years.
Myth #3: Having a DMARC policy is enough — I don’t need to be at enforcement.
While it’s true that DMARC reporting has its fair share of benefits (more on that later), reporting alone doesn’t solve phishing and spoofing problems. Mailbox providers created DMARC’s “monitor mode” (p=none) to help domain owners in moving towards enforcement, not as an end state itself. Having a DMARC policy of “none” is a necessary first step, but does nothing to actually prevent bad actors or improve deliverability. Enforcement (p=quarantine or p=reject) is where you actually get the anti-spoofing protection and deliverability benefits that DMARC offers.
Myth #4: Once I get to DMARC enforcement, my work is done.
DMARC is not as simple as “set and forget.” Email is dynamic. At most companies, new vendors are constantly being added to the list of service providers. Meanwhile, vendors often change their own underlying email infrastructure. It’s critical to leverage DMARC services that help you stay on top of these changes. While getting to enforcement is often the most significant challenge, staying there requires attention and help.
Truth #1: DMARC is difficult, I need someone to help me.
DMARC comes with its fair share of complexity. Going at it alone is tedious and is often met with less than stellar results: Only about 1 in 5 large organizations ever make it to enforcement and the cost is significant. Conversely, about 90% of Valimail customers make it to enforcement in 12 months or less. It’s far more effective and cost efficient to outsource.
Truth #2: DMARC reporting provides visibility that is inherently valuable
This is true! The data provides valuable insight. You’ll be able to gather an inventory of your outbound sending sources, see how well your email is authenticated, and get a sense for how significant of a target your domains are for bad actors. We believe everyone should have access to this type of data. In that spirit, we’ve established a free visibility solution designed for the entire email ecosystem. You can learn more about this program here.
Truth #3: DMARC can easily be done incorrectly
We see two areas where DMARC is either done incorrectly or not fully leveraged:
- When organizations attempt to ‘do it themselves’, we see a variety of issues. As mentioned above, 4 out of 5 companies attempting DMARC projects never make it to enforcement, and those that do often inadvertently cause legitimate email traffic to be blocked.
- Most DMARC vendors are simply visibility tools at their core. While they do occasionally get senders to enforcement, it happens infrequently. Due to this, many vendors have the same 20% success rate as the “do it themselves” crowd, while the very best barely get 40% of their customers to enforcement within 12 months. As a result, these approaches wind up being far more costly than the solutions’ sticker prices would indicate: Companies lose time and spend money on staff resources and consulting fees.
We believe there’s a better way to do it. Valimail was built on the premise that email authentication is not just for the top 1% of domains, but should be available for all. To deliver on that premise, we’re taking the position that visibility should be free — and enforcement should be done in a cost- and time-efficient manner. To learn more about our free visibility solution, click here — or you can request a free phishing analysis for your own domain.