CTO Article: Use case of measuring the ROI of DMARC implementation
Updated: Nov 9
One of the most common question that people ask us on how we know if the DMARC is really working and is it worth implementing.
Let me talk about basics first:
What is DMARC – It’s an Email security standard
Full form - “Domain-based Message Authentication, Reporting & Conformance”
Implemented via DNS records
Modes: None, Quarantine, Reject
You can implement it on your own with difficulty or you can use a third party SAAS provider for assisting with implementation and measuring ROI.
Now let us talk about how do we measure the ROI. So, for discussion I am going to talk about a real incident through which we helped our customer for measuring the ROI and how the same was applauded by the customer.
The Customer has been with us for a couple of years now and he always had doubts about whether the DMARC solution was actually working or not and we always used to assure him that it's like an Insurance policy. When an incident hits you, don’t worry, ProDMARC would do its job.
This incident that I am talking about happened with the customer a few months back. When the customer was busy with the month end activities, they received an automated alert from the ProDMARC solution stating below.
THERE IS A THRESHOLD BREACH OBSERVED FOR THE EMAIL ACTIVITY AND WE HAVE WITNESSED A NEW MAILING PROVIDER SENDING MAILS ON BEHALF OF YOUR DOMAIN WHICH ARE FAILING DMARC AND HENCE THE MAILS ARE REJECTED.
The customer quickly looked at the alert and started to investigate about this unusual trigger from the ProDMARC solution. He quickly went through the dashboard and started to analyze the DMARC compliance trend for the domain. He was surprised to see about 1,941 emails were found to be failing DMARC.
He went to the forensic module to check if there are sample forensic emails so that he can check the headers and body of the email. Luckily, he found a few forensic samples through which he identified the FROM ADDRESS and the DMARC action being taken by the email gateways.
The customer was quite happy that the email was blocked by ProDMARC. But he was curious to know more about this suspicious email and whether there are any phishing link or malware being downloaded. To his surprise, the customer found that the content of the email was related to a SWIFT COPY with an attachment.
The attachment had an embedded link pointing to an URL. Virus Total straight away gave a verdict that 5/80 engines have detected this URL as Phishing/Malicious
The customer was delighted that ProDMARC stopped a real incident and applauded the solution for doing its job. He even presented this to the senior management highlighting ROI of the DMARC solution.
So basically, what I am trying to say is that we sometimes expect the results to show immediately and start triggering security incidents the moment we plugin solutions in enterprises. But that is not normally the case and as an organisation we should keep applying layered security to ensure that the solutions are deployed considering the risk surface and the implemented solution like DMARC would kick in when required.