Three Strategies for Enforcing DMARC on Inbound Email

October 14, 2019
Ash Valeski

When most organizations talk about DMARC (Domain-Based Message Authentication Reporting and Conformance), the conversations usually revolve around preventing their domains from being “spoofed” by declaring “Reject” policies.

Indeed, this standard is an incredibly effective way to protect email recipients from unauthorized activity abusing their domains. Consider the chart below which shows unauthorized activity on a Proofpoint Email Fraud Defense (EFD) customer’s domain over a 30-day period. You’ll notice that email starts getting blocked the moment a “Reject” policy is declared in DNS. You’ll also notice that the activity trails off as bad actors recognize their efforts are futile.

 

Now consider the above from the perspective of email receivers. They not only have a role to play making DMARC successful (enforcement of policies declared by domain owners), but they benefit tremendously by using this signal of trustworthiness (or lack thereof) to protect their users. By way of an analogy, DMARC enforcement is like identity (ID/passport) checks at the airport that must be passed before advancing to the next stage of security evaluation.

Identity checking via DMARC enforcement is performed on email destined for 86% of US consumer mailboxes. With the rise of Business Email Compromise and other identity-deception threats targeting employees it’s more important than ever for organizations to follow the lead of Gmail, Hotmail, Yahoo, and others and add these essential security controls. Until then, domains like these will remain vulnerable to spoofing by bad actors.

(100 domains with DMARC “Reject” or “Quarantine” policies)

The three strategies below are meant to demystify DMARC enforcement and put identity controls within reach of organizations that use a secure email gateway. Proofpoint customers can find specific configuration instructions here, including ways to identify / create exceptions for legitimate email that would otherwise get blocked.

To learn more about how Proofpoint helps customers protect their companies with DMARC, click here.In summary, DMARC is an incredibly effective way to prevent impersonation (via domain spoofing) over email, but to fully realize its potential, organizations also need to consider their role as email receivers (not just domain owners). Until they do this, their employees will remain vulnerable to identity deception, especially the impersonation of their partners and vendors. The time to start evaluating and enforcing DMARC policies is now, and the strategies above offer a path forward.