DMARC: 5 Keys to Success

This article originally appeared on the Agari Email Security blog.

By Brent Sleeper, senior product manager, Agari

In this post, we will look at five keys to DMARC success organizationally and in enterprise-wide implementation.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a standard email authentication protocol that plays an essential role in any organization’s cybersecurity arsenal. That’s because DMARC is key to protecting your business, customers, and partners from email attacks that spoof your domain and hijack your brand. In fact, strong DMARC enforcement is so effective, it can stop domain spoofing practically overnight.

So its a little shocking that just 20% of the Fortune 500 (and similar shares of global lists like the FTSE and ASX) have actually implemented strong DMARC enforcement — in technical terms, a “p=reject” DMARC policy. Why do so many large enterprises lag in implementing DMARC enforcement?

DMARC for a single domain or just a handful of senders is relatively simple, but implementing it at enterprise scale is another story. If you’re like many program leaders, you know that deploying DMARC across the enterprise can be a uniquely challenging exercise in managing both technical and business hurdles. It can feel daunting.

Fortunately, you’re not alone. I was thrilled to recently host a webinar and have a conversation on this topic with my colleague, Autumn Tyr-Salvia. Autumn has had years of experience with email and authentication as a senior member of Agari’s customer success team. In that role, she’s helped some of the world’s leading enterprises successfully build and manage successful DMARC programs.

I share five of those hard-won lessons below.

DMARC Program Leadership Best Practices

Instead, the real issue is that deploying DMARC is fundamentally a leadership, process, and communication challenge. Two lessons in particular stand out.

1. Communication and Visibility are Key to DMARC Success

2. Lead the Discussion with Business Value, Not Security Hygiene

So lead with it! Being explicit about improvement in email engagement and revenue will give you permission to engage. DMARC is one of the rare times an infosec control lets you focus on win-win business outcomes and recognize an alignment of goals, rather than an unproductive, “you must comply” edict.

DMARC Implementation Best Practices

Experience helps a great deal when it comes to building an implementation plan. This is where Agari’s team makes a big impact leading enterprises on an efficient journey to strong DMARC protection. Here are three key lessons you should consider.

1. Get the Right Scope

Accordingly, treat email sources as “senders,” conceptual mail streams, not discrete IP addresses or DNS entries. IP addresses can and will change, so don’t rely on them as your angle for managing DMARC.

I’m reminded of something an experienced programmer once told me about maintaining legacy code: “Assume it’s worse than it appears.” Don’t go in thinking you have a known, finite universe of senders and mail streams. Running a DMARC program is an exercise in coming to grips with the actual reality of who and what are sending your email. It’s going to be full of surprises. You’re going to encounter a lot of shadow IT.

Automation is essential to manageability. Reduce friction and avoid tick-tacky “death by a thousand cuts” of tedious change controls, error-prone manual updates to infrastructure and reporting, etc. Use hosted records to automate updating low-level DNS entries to keep them in sync with the business changes you make, for example.

2. Prioritize Your Domains in Stages

Cutting your team’s teeth on low-volume and inactive domains is a good way to get practical experience and test your processes. Quick, early wins also will build momentum in a way that an endless, “boil the ocean” effort never could.

But you’ll want to get started early — and anticipate some major challenges — with the primary domain associated with corporate email. It’s usually the messiest and most complicated, with all kinds of email streams (corporate email, HR systems, internal status tools, DevOps platforms, and so much more).

And here’s a secret pro-tip Autumn shared: Talk to your legal and finance teams to discover a lot of hidden domains, such as those parked for trademark maintenance, defensive domains, acquisitions, etc. These are all ripe for abuse, because scammers realize a company doesn’t pay them much attention. Many times, it’s only the legal and finance folks who pay the bill every year who think about them. They’ll be key allies for you.

3. Don’t Stop at “p=reject.”

But “reject” isn’t the end of the line. In many ways, it’s just the beginning of a continuous process. That’s because no enterprise is static. Acquisitions, new lines of business, and new trademark and product introductions — they’re an important and inevitable part of how a business grows. So a DMARC program’s work is never done. You can’t just park it or assume you don’t need to invest in it going forward.
Similarly, every enterprise is investing in new technology, new SaaS providers, and more to improve efficiency and innovate. As a DMARC program leader, you’ll set yourself up for ongoing success (and reduce potential pain) by making DMARC support a required part of a security review process or technical evaluation. Ask each vendor, “will it send email? Will it use my domain?” If yes, get rolling on DMARC as soon as you buy (if not earlier).

And, finally, when we talk about the actual goal of these kinds of programs, it’s not actually “reject.” It’s protecting your customers and business from email attacks that hijack your brand. That means you must also consider issues like look-alike (or “cousin”) domains.

Other than the defensive domains you’ve registered, DMARC per se isn’t going to do anything about that. But monitoring and mitigating those threats needs to be in scope for a program like this in every enterprise.

Another Key Lesson: Don’t Go It Alone

Agari pioneered DMARC deployments for the enterprise, making implementation fast and scalable — even across thousands of sending domains. In fact, more than 40% of the Global 2000 rely on our solutions and know-how to reach maximum DMARC enforcement efficiently. I’m obviously biased, but in my book, that’s the very best practice of all.

For more practical advice on DMARC implementation, watch “5 Keys to DMARC Success: Leadership and Implementation Best Practices from the Pros,” an on-demand webinar from Agari.

Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store