Debunking myths about DMARC
Updated: Mar 31, 2020
With every growing email attack contributing to billions of lost dollars each year, organizations are adopting Domain-based Message Authentication, Reporting & Conformance (DMARC) in an effort to protect themselves and their customers from fraudsters. DMARC, first introduced in 2012, have proven extremely effective at stopping billions of email attacks from ever reaching their targets.
DMARC can be a confusing topic.! Perspectives vary greatly and there is no shortage of misinformation out there. Unfortunately, there are a number of myths about DMARC that could hinder deployments and weaken the efforts to stop such attacks.
According to statistics, Business Email Compromise (BEC) related attacks counted for nearly a quarter (23%) of all cyber-insurance claims the company received in 2018. Ransomware-related incidents came in at second place, accounting for 18% of all cyber-insurance claims, followed by claims for data breaches caused by hackers and data breaches caused by employee negligence (e.g. sending data to the wrong person), both with 14%
Let’s debunk three of the most prevalent myths:
Myth #1: Implementing DMARC is easy and it’s only used to stop spoofs
Many people think that DMARC is only about blocking impersonations (aka spoofs, or fraudulent email). Not so long ago, this would have generally been true. However, DMARC is becoming a foundation element to many email marketing advancements. As mailbox providers continue to improve the end-user experience, trust and authentication are the keys — and DMARC enforcement becomes a must have for every email marketer.
DMARC comes with its fair share of complexity. Going at it alone is tedious. Only about 1 in 5 large organizations ever make it to enforcement and the cost is significant. Conversely, about 90% of ProDMARC customers make it to enforcement in 12 months or less. It’s far more effective and cost efficient to outsource.
Myth #2: DMARC Prevents All Email Attacks
When configured correctly, DMARC detects deceptive emails sent by attackers spoofing the domains owned by the organization. No matter who the intended target may be, correct?
When configured properly, DMARC stops phishing attacks that appear to originate from trusted domains which makes it ideal for outbound phishing. But it can also mitigate certain threats found in inbound traffic. Based on multiple independent studies, more than 70% of spear phishing attacks influence Display Name Impostors (DNI), either brand or individuals, and DMARC provides no defense against that. In all of these kind of cases, additional protection is needed to prevent phishing emails from hitting the inbox.
Myth #3: Once DMARC is implemented I don’t need to worry anymore
Many organizations have a misconception that once DMARC is set they don’t need to worry anymore as the fraudulent mails will be automatically blocked
Only setting up DMARC will not help companies or individuals to block any spams. You also need to create effective policies with appropriate actions on what need to be done with suspicious emails. You also need to ensure that you have effective visibility in order to understand what’s going in and out of your mail. Email is dynamic. At most companies, new vendors are constantly being added to the list of service providers. Meanwhile, vendors often change their own underlying email infrastructure. It’s critical to have DMARC services that will help to stay on top of these changes. While getting to enforce is often the most significant challenge, staying there requires attention and help.
It’s unclear how many organizations will use DMARC to its full potential. Still, when you consider that 94% of successful breaches start with email, we should all hope that not only implementing DMARC is important but also to do it right is worth it.