Jul 10, 2020

It’s not your fault: Here’s why you haven’t gotten to DMARC p=reject

photo of young man looking doubtful

DMARC is a powerful email authentication protocol that works at Internet scale, enabling domain owners to control how their domains are used for sending email by publishing policies in DNS. It’s respected by 80% of all inboxes worldwide, which means that if you publish a DMARC record with an enforcement policy, any non-authenticating email will be quarantined (sent to spam) or rejected.

With that power comes a huge responsibility to get it right — or risk inadvertently blocking good email.

Setting an emailing domain to DMARC enforcement protects it from  being used by phishers to launch business email compromise, executive spear phishing, exact-domain phishing, and brand impersonation attacks. When DMARC is set to a policy of reject or quarantine, which is what we call “enforcement,” any email that comes from an unauthorized sender will either never be delivered to the intended target, or it will be sent to the recipient’s spam or “junk” folder.

If getting to DMARC enforcement is taking longer than you expected, or if you’re frustrated with the effort required to stay at enforcement, we understand — and we want you to know: It’s not your fault.

It probably hasn’t been easy

We’ve talked to many folks about DMARC and what a hard time they’re having with it.

We’ve heard from Valimail customers that their previous DMARC vendor kept encouraging them to stay the course (and keep paying the consulting fees),  “because you are almost there, and you just need to do a little more work.” Unfortunately, they never got “there” until they switched to Valimail.

Other folks wanted to stick with open-source DMARC tools and do it themselves. The logic there is that doing the work in-house is more cost-effective and will give their staff valuable skills and experience.

In either case, the effort to reach DMARC enforcement can require a dedicated team to implement all the changes. The first stage is just figuring out what services you have. You may have to:

  1. Interpret high volumes of XML data dumps from DMARC aggregate reports
  2. Parse through thousands of IP addresses to figure out which cloud platforms and third-party services the IP addresses map to
  3. For email-sending services using an email service provider (ESP), guess which SaaS services are running on which ESP
  4. Determine the business owners in your company for each service
  5. Come up with appropriate policies for which services will be allowed, who will have access to manage them, and on which subdomains

Once you’ve done all the legwork to discover what’s happening on your emailing domain, there’s still more work to do:

  • Configure SPF and DKIM for each email-sending service
  • Determine which DMARC policy you want to use for messages that fail SPF and DKIM authentication
  • Publish DMARC, SPF, and DKIM record updates to DNS
  • Manage the DNS change process for every new service

When it’s time to add a new service, or remove an old one, it’s back to the drawing board. We call this the never-ending cycle of tedium: It can burn out your team members, and it is a big reason why some organizations never reach enforcement.

With a process like this, it is understandable if your domain is not yet at enforcement.

But it really doesn’t have to be so hard

Automation can change the game. Valimail will give you the visibility and control of your email ecosystem so you can identify and authorize all the mail services you want, block or quarantine malicious or unknown senders, and get your domains to enforcement in record time.

Valimail requires very few staff resources to implement and maintain — typically 20% of a regular full time employee — which is 1/10 of what other solutions require.

But don’t just take our word for it. Join thousands of other organizations that have set up Valimail DMARC Monitor, the industry-leading DMARC visibility solution. It’s free — and you’ll find that the visibility DMARC Monitor offers helps take the tedium out of the DMARC process and get you to enforcement that much quicker.

Subscribe to our newsletter