DMARC challenges: Here’s why you haven’t reached DMARC p=reject

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a powerful email authentication protocol that works at a large scale, enabling domain owners to control how their domains are used for sending email by publishing policies in DNS. It’s respected by 80% of all inboxes worldwide, which means that if you publish a DMARC record with an enforcement policy, any non-authenticating email will be quarantined (sent to spam) or rejected.

With that power comes a huge responsibility to get it right — or risk inadvertently blocking good email.

But getting to a policy of p=reject is one of the biggest DMARC challenges. If getting to DMARC enforcement is taking longer than you expected, or if you’re frustrated with the effort required to stay at enforcement, we understand—and we want you to know: It’s not your fault.

What is DMARC enforcement?

Setting an emailing domain to DMARC enforcement protects it from being used by phishers to launch:

• Business email compromise
• Executive spear phishing
• Exact-domain phishing
• Brand impersonation attacks

When DMARC is set to a policy of reject or quarantine, which is what we call “enforcement,” any email that comes from an unauthorized sender will either never be delivered to the intended target or it will be sent to the recipient’s spam or “junk” folder.

There are three DMARC policies:

The DMARC p=none policy is a monitoring policy. It doesn’t protect your domain, but it’s a great place to start your DMARC journey. The quarantine policy will flag or quarantine unauthorized emails, but they still get delivered. The best policy is p=reject as it will block unauthorized emails from ever getting to the inbox. However, getting to p=reject is the most challenging.

Check your domain’s DMARC, SPF, and BIMI records for free here with our domain checker.

DMARC Implementation Isn’t Easy

We’ve talked to many companies about DMARC and what a hard time they’re having with implementing it. One of our customers, Reputation, was struggling to find the right solution. They found that many companies offered either expensive consulting services or a single-sided solution that was limited to inbound and outbound email defense around spam and phishing emails.

But then they found Valimail, the only complete anti-phishing solution to protect their people internally and externally. After using our DMARC solutions like Enforce, they got to DMARC enforcement in less than 6 months with a 96% average DMARC pass rate. In addition, they’ve blocked about 4,000 phishing emails per month since 2018.

“Valimail has proven itself to be future-proof because it has scaled to protect us from startup to global corporation. Their solution is easy to set up and we’ve maintained our DMARC enforcement status since we onboarded.”

Kip Borie, IT Manager, Infrastructure at Reputation

While companies like Reputation have seen success using our products, many companies still want to take a DIY approach to DMARC, assuming that doing the work in-house is more cost effective and will give their staff valuable skills and experience.

In either case, the effort to reach DMARC enforcement can require a dedicated team to implement all the changes. The first stage is just figuring out what services you have. You may have to:

1. Interpret high volumes of XML data dumps from DMARC aggregate reports
2. Parse through thousands of IP addresses to figure out which cloud platforms and third-party services the IP addresses map to
3. For email-sending services using an email service provider (ESP), guess which SaaS services are running on which ESP
4. Determine the business owners in your company for each service
5. Come up with appropriate policies for which services will be allowed, who will have access to manage them, and on which subdomains

Once you’ve done all the legwork to discover what’s happening on your emailing domain, there’s still more work to do:

• Configure SPF and DKIM for each email-sending service
• Determine which DMARC policy you want to use for messages that fail SPF and DKIM authentication
• Publish DMARC, SPF, and DKIM record updates to DNS
• Manage the DNS change process for every new service

When it’s time to add a new service or remove an old one, it’s back to the drawing board. This never-ending cycle can burn out your team members, and it is a big reason why some organizations never reach enforcement. With a process like this, it is understandable if your domain is not yet at enforcement.

Common DMARC challenges

It’s not easy—we get it. Especially when you partner with a solution or consultant that doesn’t have the tools and know-how to expedite your journey to DMARC at enforcement.

Here’s a quick list of common DMARC challenges you might be facing (and next, we’ll cover how to solve them all quickly):

1. Complexity of Email Infrastructure: Navigating through a complex web of email servers, third-party services, and cloud platforms can be daunting and time-consuming.
2. High Volume of DMARC Reports: Analyzing large volumes of DMARC aggregate reports, often in XML format, requires significant effort and technical expertise.
3. Identifying Legitimate Email Sources: Determining which IP addresses correspond to authorized email services and distinguishing them from unauthorized sources.
4. Managing SPF and DKIM Records: Properly configuring and maintaining SPF and DKIM records for each email-sending service can be challenging, especially for organizations with multiple domains.
5. Policy Decision Making: Deciding on the appropriate DMARC policy (none, quarantine, reject) for messages that fail authentication and understanding the implications of each.
6. DNS Management: Regularly updating DNS records for DMARC, SPF, and DKIM, especially when adding or removing services, can be cumbersome.
7. Ongoing Maintenance: Keeping up with changes in email infrastructure, such as adding new services or phasing out old ones, requires continuous attention.
8. Lack of Expertise: Limited in-house expertise in DMARC implementation can lead to prolonged or unsuccessful attempts at reaching enforcement.
9. Email Deliverability Concerns: Fears about mistakenly blocking legitimate emails can lead to hesitation in moving to a stricter DMARC policy. But if implemented correctly, it can actually improve your deliverability.
10. Understanding DMARC Reports: Interpreting DMARC reports and translating them into actionable insights can be a significant barrier for those unfamiliar with the specifics of email authentication.

Automated solutions like Valimail DMARC Enforce offer a way to simplify this process, providing the necessary tools and insights to overcome these hurdles effectively.

DMARC enforcement doesn’t have to be that hard

Automation can change the game. Valimail will give you visibility and control of your email ecosystem so you can identify and authorize all the mail services you want, block or quarantine malicious or unknown senders, and get your domains to enforcement in record time.

Valimail requires very few staff resources to implement and maintain — typically 20% of a regular full-time employee — which is 1/10 of what other solutions require.

But don’t just take our word for it.

Join thousands of other organizations that have set up Valimail DMARC Monitor, the industry-leading DMARC visibility solution. It’s free—and you’ll find that the visibility DMARC Monitor offers helps take the tedium out of the DMARC process and get you to enforcement that much quicker.