Not all DMARC enforcement policies are created equal

Your DMARC p=reject or quarantine policy may not be as strong as you think it is. Not all DMARC enforcement policies are created equal--learn more here!
not all dmarc enforcement policies

Not all Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies are created equally. The latest North Korean email attacks targeting companies with weakly implemented DMARC policies are an important reminder that p=none shouldn’t be the final place for your DMARC settings. 

Bad actors actively target domains with a p=none policy, so the goal should be to get to enforcement quickly and safely. However, there are many pitfalls companies can fall into when starting their journey to DMARC enforcement. Discover why your DMARC enforcement policy is more important than you may realize. 

Inconsistent enforcement policies let threats slip through

While some DMARC policies are structured and accurate, many inaccurate ones aren’t strict enough to protect your domain. A p=reject policy done independently will likely not be the same as one achieved through a reputable DMARC vendor. Properly implementing DMARC enforcement takes a lot of work and precision, and even one mistake can leave your domain vulnerable, meaning any gaps in coverage can have potentially devastating consequences. 

dmarc-policy-graphic

For example, you could set up a Sender Policy Framework (SPF) policy that is too non-restrictive and assumes an email service provider (ESP) sender is allowed. But if you allow an originating email that looks like it’s the ESP but is actually a bad actor using that address, your bad email will get through. 

Most ESPs also support DomainKeys Identified Mail (DKIM) authentication (and alignment) to pass DMARC checks successfully. But suppose you’re able to customize the SPF domain to give you both SPF and DKIM alignment. In that case, your email messaging streams are more DMARC resilient and less likely to fail if either SPF fails (as can happen due to forwarding) or DKIM fails (due to something like header rewriting or content encoding issues).  

These examples are just some of the many ways you can leave your domain vulnerable to bad actors while attempting to get to enforcement. Getting to enforcement quickly and correctly is even more critical now. Check your domain status for free.

How you get to DMARC enforcement matters

While you can achieve DMARC enforcement on your own, we don’t recommend it. The process can take years, during which your domain will be vulnerable to attacks and misuse. You’ll also have to manage keeping your DNS look-up limit under ten or flattening your SPF records, which puts your business at risk. 

Some DMARC vendors will get you to DMARC enforcement, which is great, but if they’ve flattened your SPF record, your DMARC policy isn’t as strong. SPF flattening consists of:

  • Combing through large blocks of IP addresses, potentially allowing unauthorized users to send your domain
  • Manual maintenance, which becomes complex with multiple sending services
  • Lag between IP list updates, resulting in legitimate email failing authentication.

Valimail’s patented Instant SPF automation helps senders circumvent the 10-lookup limit and auto-generates SPF records in real-time as needed to ensure accuracy and improve response time. Instant SPF leverages the EHLO name, which ensures only the customer-specific IPs from allowed services can send authorized email from your domain. 

Work with the trusted leader in the industry

Without the right vendor, software, or knowledge, you could have a permissive DMARC policy, and you may not find out until your domain’s already been abused.  The best way to protect yourself is to partner with Valimail, the trusted leader in the DMARC space since 2015. We help customers reach enforcement 4x faster than other solutions and 8x faster than implementing DMARC via a do-it-yourself approach.

Average-Rate-of-Enforcement-FINAL
g2 spring 2024 leader

We’ve perfected our DMARC solution to offer the space’s most accurate and strict enforcement policies. With our patented technology, leadership in industry collaboration, and a fully dedicated team, our clients get the best and safest protection from phishing and spoofing. Our customers have continuously ranked us as the G2 Leader in DMARC software, so you don’t have to just take our word for it:

“Valimail has proven itself to be future-proof because it has scaled to protect us from startup to global corporation. Their solution is easy to set up, and we’ve maintained our DMARC enforcement status since we onboarded.”

Kip Borie | IT Manager, Infrastructure at Reputation

While the North Korean attacks have dominated the headlines, countless other attacks may be occurring. The threat landscape constantly evolves, so it is crucial to implement a strict enforcement policy correctly and prompt for optimal safety. 

Our dedicated DMARC team is here to help protect your domain. 

Get started for free
with Monitor

Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.

Explore all Valimail
has to offer

Go one step further than visibility…Take action! Reach DMARC enforcement faster. Stay compliant with evolving sender requirements. All while protecting your brand.

Phishing and BEC protection starts with your domain — verify your DMARC status with the Valimail Domain Checker.