Male Hands Pressing on Tablet

The Challenges of DIY DMARC (Domain-Based Message Authentication Reporting & Conformance)

September 28, 2019
Tanner Luxner

The DMARC (Domain-based Message Authentication Reporting and Conformance) standard is one of an organization’s best defenses against spoofing attacks using their trusted domains. As email fraud attacks continue to rise at an alarming rate, many organizations are looking to implement DMARC authentication to protect employees, customers, and business partners.

One common approach that organizations take is to implement DMARC on their own. This involves navigating the DMARC journey—without outside assistance—utilizing internal resources and building data management systems. As you consider whether or not to deploy DMARC on your own to protect your trusted domains, there are several potential hazards you should be aware of.

High risk of blocking legitimate email:

Once DMARC is fully deployed to block fraudulent emails that spoof your domains, any email that fails authentication will be deleted automatically. In order to prevent the blocking of legitimate email, you need to have authentication visibility into all the email coming into (and being sent from) your organization and those of your trusted 3rd party senders. This visibility is a critical part of authentication as it will help you identify all legitimate email senders – whether they’re sending to consumer mailboxes or other businesses. But the importance of authentication visibility doesn’t stop there. You also need a view into whether your legitimate email senders are authenticating properly.

DMARC requires deep expertise:

DMARC requires deep expertise to successfully implement and maintain. A DMARC project will require investing significant time and resources to gain knowledge of how SPF, DKIM, and DMARC work, along with the knowledge to how to solve for authentication errors that require fixing. From identifying forwarded email, knowledge of certain email receiver intricacies, and much more, deep knowledge is required for successful implementation.

Storing and rendering large data sets:

It can be difficult to keep up with the sheer volume of DMARC reports you will receive during your DMARC journey, and you’ll need to be able to build and manage a system that can store and render large data sets.  This also requires setting aside significant time to understand and interpret the actionable insights that are within these reports.

Identifying and contacting stakeholders:

Proper DMARC implementation requires identifying and contacting various stakeholders within your organization, as well as legitimate 3rd-party email senders – potentially an incredibly time-consuming process. This is necessary work to ensure that all mail is authenticating properly, and you aren’t blocking legitimate mail.  Imagine your marketing team has scheduled a large marketing campaign using a 3rd party sender. If that sender isn’t authenticating properly, DMARC could block the entire campaign.

Ongoing support and management:

Business needs change over time – including email practices used across the various groups within, and outside of your organization.  You will need to dedicate time, resources, and well-educated DMARC experts to support your email authentication efforts going forward and work through any changes that arise, such as new 3rd party senders coming online.

Learn more

While it is possible to DIY DMARC on your trusted domains, it also opens your organization up to the significant risk of blocking legitimate mail and requires large allocation of time and resources to be done properly.  Proofpoint Email Fraud Defense provides the visibility, tools, and services to help organizations implement and continually manage DMARC quickly and confidently.

Learn more with Proofpoint’s ‘Getting started with DMARC’ guide