Not all Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies are created equally. The latest North Korean email attacks targeting companies with weakly implemented DMARC policies are an important reminder that p=none shouldn’t be the final place for your DMARC settings.
Thanks to recent industry changes, DMARC adoption has grown throughout the first half of 2024. When looking at the top ten million domains, more than 587,000 domains published a new DMARC record in June compared to the start of the year. This is just a small subset of data; many more DMARC records will likely be added. While new DMARC policies are great, leaving them at p=none still leaves brands vulnerable.
Bad actors actively target domains with a p=none policy, so the goal should be to get to enforcement quickly and safely. However, there are many pitfalls companies can fall into when starting their journey to DMARC enforcement. Discover why your DMARC enforcement policy is more important than you may realize.
Inconsistent enforcement policies let threats slip through
While some DMARC policies are structured and accurate, many inaccurate ones aren’t strict enough to protect your domain. A p=reject policy done independently will likely not be the same as one achieved through a reputable DMARC vendor. Properly implementing DMARC enforcement takes a lot of work and precision, and even one mistake can leave your domain vulnerable, meaning any gaps in coverage can have potentially devastating consequences.
For example, you could set up a Sender Policy Framework (SPF) policy that is too non-restrictive and assumes an email service provider (ESP) sender is allowed. But if you allow an originating email that looks like it’s the ESP but is actually a bad actor using that address, your bad email will get through.
Most ESPs also support DomainKeys Identified Mail (DKIM) authentication (and alignment) to pass DMARC checks successfully. But suppose you’re able to customize the SPF domain to give you both SPF and DKIM alignment. In that case, your email messaging streams are more DMARC resilient and less likely to fail if either SPF fails (as can happen due to forwarding) or DKIM fails (due to something like header rewriting or content encoding issues).
These examples are just some of the many ways you can leave your domain vulnerable to bad actors while attempting to get to enforcement. Getting to enforcement quickly and correctly is even more critical now. Check your domain status for free.
How you get to DMARC enforcement matters
While you can achieve DMARC enforcement on your own, we don’t recommend it. The process can take years, during which your domain will be vulnerable to attacks and misuse. You’ll also have to manage keeping your DNS look-up limit under ten or flattening your SPF records, which puts your business at risk.
Some DMARC vendors will get you to DMARC enforcement, which is great, but if they’ve flattened your SPF record, your DMARC policy isn’t as strong. SPF flattening consists of:
- Combing through large blocks of IP addresses, potentially allowing unauthorized users to send your domain
- Manual maintenance, which becomes complex with multiple sending services
- Lag between IP list updates, resulting in legitimate email failing authentication.
Valimail’s patented Instant SPF automation helps senders circumvent the 10-lookup limit and auto-generates SPF records in real-time as needed to ensure accuracy and improve response time. Instant SPF leverages the EHLO name, which ensures only the customer-specific IPs from allowed services can send authorized email from your domain.
Work with the trusted leader in the industry
Without the right vendor, software, or knowledge, you could have a permissive DMARC policy, and you may not find out until your domain’s already been abused. The best way to protect yourself is to partner with Valimail, the trusted leader in the DMARC space since 2015. We help customers reach enforcement 4x faster than other solutions and 8x faster than implementing DMARC via a do-it-yourself approach.
We’ve perfected our DMARC solution to offer the space’s most accurate and strict enforcement policies. With our patented technology, leadership in industry collaboration, and a fully dedicated team, our clients get the best and safest protection from phishing and spoofing. Our customers have continuously ranked us as the G2 Leader in DMARC software, so you don’t have to just take our word for it:
“Valimail has proven itself to be future-proof because it has scaled to protect us from startup to global corporation. Their solution is easy to set up, and we’ve maintained our DMARC enforcement status since we onboarded.”
Kip Borie | IT Manager, Infrastructure at Reputation
While the North Korean attacks have dominated the headlines, countless other attacks may be occurring. The threat landscape constantly evolves, so it is crucial to implement a strict enforcement policy correctly and prompt for optimal safety.
Our dedicated DMARC team is here to help protect your domain.
