Debunking 10 Popular Myths about DMARC
Estimated reading time: 6 minutes
As the threat landscape changes, more and more organizations are using the DMARC (Domain-based Message Authentication, Reporting, and Conformance) protocol to protect their domains against phishing, spoofing, compromise, and other email threats. DMARC is a very powerful defense against these when used correctly.
However, the algorithm of DMARC works and guards senders against fraud, impersonation, and domain spoofing may not be clear to many marketers and site owners. This ignorance may lead to serious misunderstandings concerning email authentication, DMARC, and its benefits, which could result in security flaws for many businesses.
This article debunks the 10 most popular myths about the DMARC’s work and utilization to help you better understand why its implementation is necessary in today’s email infrastructure.
Myth #1. DMARC Will Block Spam in My Inbox.
This misconception may be connected with the policies the DMARC protocol allows to apply: quarantine and reject. Some domain owners believe that these policies will be applied to the inbound emails sent to their mailbox.
The truth is that the policy used in a DMARC record published for a domain is applied to the email messages sent on behalf of the domain, i.e. to outbound emails.
Myth #2. Small Senders Don’t Need DMARC.
The use of DMARC is not limited to big businesses or international corporations.
Every organization is susceptible to cyberattacks. Any domain may be subject to spoofing, phishing, and other malicious activity. Thus, every company should set up a DMARC authentication to confirm the legitimacy of its emails and guard its domain against bad actors abusing the domain and reputation.
Myth #3. I Don’t Need DMARC Because I Don’t Send Emails.
If your domain is public, it may become a victim of a spoofing attack regardless of whether or not you use it for email sending. It’s highly advised to publish a DMARC record with the ‘p=reject’ policy for such a domain to prevent any spam and phishing activity from the domain.
Myth #4. After I Set up DMARC, My Domain Cannot Be Spoofed.
The implementation of DMARC cannot prevent bad actors from spoofing a domain and sending scam and phishing emails on behalf of it. The point of using DMARC is to have visibility into email sending sources and instruct email receivers on what to do with the messages sent by unauthorized senders.
Using a DMARC enforcement policy, you can tell email receivers to quarantine or reject the messages sent by someone pretending to be you. This way, you protect email recipients from spam and you save your domain and reputation by avoiding user complaints about spam sent from your domain.
Myth #5. Setting the Policy to ‘None’ is Sufficient.
Despite the fact that the ‘p=none’ policy generates DMARC reports, it does not shield your domain from phishing, spoofing, or other online dangers. This policy should only be used for testing and monitoring purposes in order to determine which emails sent on behalf of your domain are successfully authenticated and which are not.
It’s critical to change your DMARC policy to ‘p=quarantine’ or ‘p=reject’ for full enforcement and improved protection after the monitoring phase is over. The safest method to apply a DMARC enforcement is by utilizing the ‘pct=’ tag in the DMARC record and increasing the percentage in small steps until you reach 100%.
Myth #6. DMARC Cannot Be Used Without SPF and DKIM.
Although installing DKIM, SPF, and DMARC all at once is the best practice, you can still implement DMARC before setting up DKIM and SPF. Ensure to set the DMARC policy to ‘p=none’ in order to not instruct email receivers to quarantine or reject your legitimate emails. However, before you can enforce your DMARC policy, the SPF record and DKIM signing must be configured.
Myth #7. The ‘Reject’ Policy Will Block All of My Emails.
A DMARC policy is only applied to the email messages that failed DMARC authentication. Therefore, it’s recommended to set the ‘p=reject’ policy after a thorough monitoring and fixing email authentication breaches. This way, the enforcement policy will allow your legitimate emails to reach the recipient’s mailbox while guarding them from any scam and spam pretending to come from your domain.
Myth #8. DMARC Reports Are Useless As I Cannot Understand Them.
Indeed, the DMARC aggregate and forensic reports are delivered in an XML format and are hard to be deciphered by a human. However, such reports provide valuable information necessary to monitor the email sending sources and email authentication outcomes. Without this information, email senders are not able to understand when they can enforce their DMARC policy without harming deliverability of their legitimate emails.
It’s highly advised to include the email addresses to receive the reports in a DMARC record. With the utilization of automatic tools like GlockApps DMARC Analyzer, the processing of DMARC aggregate and forensic reports is made easy.
Myth #9. Setting up DMARC Will Quickly Fix Deliverability Issues.
A DMARC implementation will certainly help improve your sender reputation and Inbox placement ratio – authenticated emails have a higher potential to land in the inbox rather than those failing DMARC. However, it won’t be quick. You may see the improvements in several months after you begin using DMARC in its enforcement mode.
It is also important to remember that the emails that passed a DMARC test are still subject to the ISP’s filters that may classify the emails as spam based on different conditions.
Myth #10. Once I Reach the ‘Reject’ Policy, I Can Let Things Slide.
Enforcing DMARC is only the beginning of your journey with domain monitoring and protection. It is imperative that you regularly monitor your sending infrastructure, email sending sources, and email authentication outcomes for any changes. As email is dynamic and infrastructure is prone to change, you must pay close attention to everything related to your domain usage.
Conclusion
A misunderstanding of the DMARC’s algorithm may prevent domain owners from benefiting all of the possibilities it provides. Now when all doubts are cleared, it’s important that email senders and every organization that has a public domain include the implementation of the DMARC authentication protocol into its security plan because it provides:
- visibility;
- control;
- monitoring;
- protection.
As no domain is secured from spoofing assaults, with the utilization of DMARC you can guarantee that no spam or phishing emails will be delivered on behalf of your organization’s domain to people’s inboxes.