5 Common Mistakes Made When Implementing DMARC

November 20, 2017
Ryan Terry

DMARC, or Domain-based Message Authentication Reporting & Conformance, protects an organization’s trusted domains from email spoofing attacks.  Due to the rapid expansion of email fraud, and given that domain spoofing attacks make up a large percentage of these attacks, it is no surprise that many organizations are looking to implement DMARC authentication to validate the email sent on their behalf.  In fact, the Department of Homeland Security recently mandated that all civilian federal agencies implement DMARC within an aggressive timeline, and encouraged private sector companies to consider DMARC adoption as well. 

Many organizations have not implemented DMARC yet because it can be difficult to deploy and the risk of blocking legitimate email is high.  To better help companies and agencies protect their trusted domains, we have identified five common mistakes made when deploying DMARC authentication. 

Mistake #1: Don’t account for all legitimate mail streams, including 3rd-party senders

Most organizations have many senders, including 3rd parties, sending email on their behalf.  It can be challenging to identify all of the legitimate senders, especially given that different departments within an organization - such as marketing, sales, and HR - use 3rd party email senders.  But, if all legitimate senders are not identified and authorized to send email on the organization’s behalf, critical communications may get blocked, potentially disrupting the business.  Organizations should ensure that stakeholders from all relevant departments are informed and involved.

Mistake #2: Let a subdomain inherent the top-level domain’s policy

Organization’s typically focus their DMARC implantation on the top-level domain (ex: acme.com) and may overlook safely configuring specific policies for each of their subdomains (ex: mail.acme.com).  The DMARC policy deployed on the top-level domain automatically trickles down to sub domains.  This may lead to unintentionally blocking legitimate email unless all subdomains are accounted for separately. 

Mistake #3: Don’t have a system or tool in place to parse the data from DMARC records

DMARC aggregate reports, which are sent from the receiving email service providers, include crucial information about your email ecosystem, but they are not intuitive to understand.  Data is just data until you can organize it in a way that provides value.  Plus, it can be daunting to try and keep up with the sheer volume of reports that are sent and collate all of the information in a meaningful way – especially if the organization is trying to establish any kind of timeframe around their DMARC project.

Mistake #4: Don’t understand SPF and DKIM alignment

DMARC alignment prevents spoofing of the “header from” address by:

  1. Matching the “header from” domain name with the “MFROM” domain name used during an SPF check, and
  2. Matching the “header from” domain name with the “d=domain name” in the DKIM signature.

Proper alignment ensures that you are authenticating your sending identity relative to the domain that it’s purported to be.  Again, 3rd party email senders bring additional challenges.  For instance, 3rd party vendors tend to have their own “MFROM” domain.  So they can pass SPF, but not SPF alignment. And it’s the same with DKIM.  3rd party vendors can pass DKIM, but not DKIM alignment.

Mistake #5: Use improper DMARC syntax or content

While there are instructions for setting up DMARC records, they may sometimes be unclear.  It is also common to have improper formatting and/or content, and incorrect policy values.  A few key things to remember:

  • Don’t forget to use “_dmarc.”
  • If you have multiple reporting addresses – separate with a comma, don’t include a space after the comma, and ensure the second address starts with MailTo:
  • Use correct policy values (example: use “none” instead of “monitor”)
  • Check for typos
  • Missing characters or extra characters

Learn more

DMARC authentication is an effective tool to help organizations prevent email fraud.  Implementing DMARC is a process, or a journey, but the benefits of blocking phishing and email spoofing attacks are abundant.  Proofpoint Email Fraud Defense provides the visibility, tools, and services to help organizations implement DMARC quickly and confidently.  Download our Getting started with DMARC Guide today!