DMARC Adoption in 2021: What’s the Problem?
When it comes to cyber-attacks, 2020 has shown how unprepared organizations and businesses all over the world are. All types of companies were affected, regardless of the size and operating area, resulting in millions of dollars in financial losses. We have seen a large number of new phishing scams related to COVID-19. In April alone, Google blocked 18 million Coronavirus-related malware and phishing emails. And, as so many organizations have switched to remote work, 2021 does not predict any decrease in cyber-attacks.
Scams come in all shapes and sizes, so why do we pay so much attention to the email here? Because 94% of all malware is delivered to the computer via email. And the majority of people would not distinguish between a well-crafted phishing email and a legitimate one.
DMARC, as the third layer of protection (after SPF and DKIM), has been introduced 9 years ago (back in 2012!). And yet, a large segment of organizations all over the world fail to implement it, and the majority of those who do, leave the p=none policy that only needed at the early stages of implementation and does not protect against cyber-attacks.
So what is it that stops businesses from adding DMARC protection to their arsenal?
Making Three Protocols Work Together
In theory, all you have to do is: implement SPF, DKIM, and DMARC on top of the two and make sure SPF and DKIM align during an authentication check. And voila! Sounds simple enough, right?
But in reality, there are quite a few roadblocks on the way to DMARC ‘quarantine’ or ‘reject’ policy.
- SPF and forwarded emails. SPF is the oldest protocol, introduced back in 2000 and it has quite a few downsides. One of them is an inability to authenticate after forwarding an email.
- SPF and the lookup limit. Yes, the widely known headache of the 10-lookup limit. Many use the flattened SPF record to bypass it. In this case, a range of new troubles arises, as flattened SPF records need more precision and regular maintenance. Mistyped IP address or an address that wasn’t changed on time will lead to the SPF authentication failure. What If you don’t fix issues connected to your SPF authentication and implement a ‘reject’ DMARC policy? You might as well block legitimate emails, not only potentially threatening.
- SPF and DKIM must align. If you have both SPF and DKIM implemented in your domain, DMARC instructs either of them to be aligned in order to pass authentication. What does this mean? Both SPF and DKIM domain (written in an SPF record or the one signed with DKIM signature) have to be the same as the domain in the From address. However, many would argue that the best practice is to align with both SPF and DKIM, otherwise one might see spikes in bounce rates.
The abovementioned are a few of the purely technical roadblocks. But what do they mean for a company? It needs to spend some money on security pros, or time and money on educating themselves in email security.
SPF, DKIM, and DMARC were created in a form of simple TXT records, which is very practical. On the other hand, adjustments have to be made by a person who knows what they’re doing. Any error may result in failures, and record misconfigurations. This might be kind of a dealbreaker for many small and medium businesses as they might not afford such extra expenses, or just won’t see them as important ones. And this is a shame because according to Symantec, small businesses have the highest targeted scam email rate – 1 in 323.
Even as the company only works with the first stage of DMARC implementation with the none policy, it starts to receive a lot of incoming data on the domain traffic. DMARC reports were not created to be easily readable by humans, they come in XML format. Moreover, a company receives one report for each server it sends an email to. So depending on the intensity of email traffic, the number of reports per day may get to thousands. In such cases, it is highly recommended to use third-party tools for collecting, analyzing, and storing those reports. This means extra expenses that small businesses might not afford, and corporations might just have way too complicated email flows to even start the process.
The Cost of an Error
As I have mentioned before, the result of the misconfigured record could be failed email authentication. What does it mean in terms of business? An email marketing campaign being blocked or ending up in a spam folder. Or, even worse, an interrupted transactional or other primary business email flow.
Many businesses, regardless of whether they have an IT department, a single pro, or rely on their own understanding of the process – risk disconnecting legitimate emails. As long as they are not sure they’ve got everything right, they might hesitate to move to the enforcement stages of DMARC. For big corporations, disruption of important email communication can result in significant financial losses as well as decreased reputation.
With all that said, can we take these factors as excuses for companies leaving their domains unprotected? Of course not.
The fact is – Internet will become a safer place only if each of us will take our own part in making the proper steps. It is not about pointing fingers, blaming others, or making excuses. If the domain is unprotected – it can be a target for cyber-criminals. This is just the world we live in. As a result, a company can lose domain reputation within days, end up with compromised business emails, stolen credentials, and significant monetary losses. DMARC is not a perfect solution, but it is the highest protection one can acquire for their business domains. And ultimately, everyone will only benefit from sending emails that will be confirmed as legitimate.
As many start moving towards ‘no auth, no entry’ I believe more companies will consider moving the process of DMARC implementation.
If you want to begin the process today – GlockApps is here for you.
You can start using DMARC Analytics right now with 10,000 free monthly DMARC messages
and unlimited domains. We provide all the help with our support team, guides, and in-depth analytics.