Dispelling the myths about DMARC

Good hygiene has been in the news a fair amount in recent weeks and months, leading us all to pay substantially more attention to washing our hands – for longer – and to diligently covering our coughs. The fact that this guidance needs to be shared anew every flu season highlights just how important a sense of urgency, and regular reminders on how to act, are in stemming the spread of infection. The same is true when it comes to our behavior online. Evidence suggests that a regime of foundational measures, reflecting prioritized, essential tasks to defend against avoidable dangers in cyberspace, does in fact work to substantially reduce overall risk.

This is one of the reasons why the Cybersecurity Tech Accord signatories endorsed the Paris Call for Trust and Security in Cyberspace and committed ourselves to working on implementing its principle focused on improving cyber hygiene. This includes both ensuring that the Cybersecurity Tech Accord companies themselves adopt and implement good practices, but also – and perhaps more importantly – working on making cyber hygiene measures available and accessible at scale, and particularly in communities with limited financial and technical resources.

We are therefore delighted to be working on this issue together with the Global Cyber Alliance, an international non-profit organization that has made eradicating global cyber risk its sole mission. For the past two years, they have been working on efforts to improve email security, including driving the wider adoption of Domain-based Message Authentication, Reporting & Conformance (DMARC), an email authentication policy and reporting protocol that helps prevent impersonation attacks via email – something which the Cybersecurity Tech Accord has also enthusiastically supported previously.

DMARC ensures that legitimate email is properly authenticated against established Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) standards, and that fraudulent activity appearing to come from domains under the organization’s control is blocked. We encourage all organizations to utilize resources made freely available by the Global Cyber Alliance, including their implementation guide, and also want to take this opportunity to dispel a number of myths that have emerged around DMARC in particular.

Myth #1: It’s used on email domains only

ANY domain can be impersonated and used in phishing attacks, so we need to do more than just securing the domains used to send mail.  Every domain owned by your organization should be secured with its own DMARC policy.

Myth #2: It’s a Silver Bullet

DMARC is not an inoculation against every cyber risk. It protects only one type of spoofing and should never be used alone. All organizations need a layered defense when it comes to securing email, and DMARC is an important layer but still only one. Your organization may also use other secure email mechanisms, such as DNS-Based Authentication of Named Entities (DANE) or Message Transfer Agent Strict Transport Security (MTA-STS) (as well as others).

Myth #3: It’s not good for privacy

With DMARC, you can view who is sending emails on your domain’s behalf, thus protecting privacy by preventing hackers from using your domain to send suspicious messages within your organization or to your customers. In this way, DMARC reporting actually prioritizes privacy above other secure email practices. 

Myth #4: It’s easy

Starting the implementation of DMARC may be relatively simple, but the real work – and the most important part – comes with analyzing reports and adjusting your policy levels for enforcement, which can be more labor-intensive.

Myth #5: It’s going to negatively impact my email

DMARC actually improves the delivery rate of the email you send to customers and others.

 Myth #6: It’s only for large entities

Every organization with a public-facing domain can be vulnerable to spoofing and phishing, regardless of size.  DMARC needs to be implemented by ALL organizations, from small startups to Fortune 500 corporations.

Email remains a preferred attack method for impersonation and fraud. Whether it’s sophisticated nation-state attacks, targeted phishing schemes, business email compromise or ransomware, such attacks are on the rise at an alarming rate and are also increasing in their sophistication. It is therefore imperative that organizations employ technologies such as DMARC to reduce both the specific threats to their entity, as well as to improve the resilience of the Internet more broadly to help keep us all safe online.