DMARC: 5 Keys to Success

This article originally appeared on the Agari Email Security blog.

By Brent Sleeper, senior product manager, Agari

In this post, we will look at five keys to DMARC success organizationally and in enterprise-wide implementation.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a standard email authentication protocol that plays an essential role in any organization’s cybersecurity arsenal. That’s because DMARC is key to protecting your business, customers, and partners from email attacks that spoof your domain and hijack your brand. In fact, strong DMARC enforcement is so effective, it can stop domain spoofing practically overnight.

So its a little shocking that just 20% of the Fortune 500 (and similar shares of global lists like the FTSE and ASX) have actually implemented strong DMARC enforcement — in technical terms, a “p=reject” DMARC policy. Why do so many large enterprises lag in implementing DMARC enforcement?

DMARC for a single domain or just a handful of senders is relatively simple, but implementing it at enterprise scale is another story. If you’re like many program leaders, you know that deploying DMARC across the enterprise can be a uniquely challenging exercise in managing both technical and business hurdles. It can feel daunting.

Fortunately, you’re not alone. I was thrilled to recently host a webinar and have a conversation on this topic with my colleague, Autumn Tyr-Salvia. Autumn has had years of experience with email and authentication as a senior member of Agari’s customer success team. In that role, she’s helped some of the world’s leading enterprises successfully build and manage successful DMARC programs.

I share five of those hard-won lessons below.

DMARC Program Leadership Best Practices

Let’s start with some of the leadership and organizational decisions that drive success. One insight we discovered is that DMARC in the enterprise is not just a technical challenge. If it were, getting to “reject” enforcement could be solved simply by throwing enough horsepower at the problem.

Instead, the real issue is that deploying DMARC is fundamentally a leadership, process, and communication challenge. Two lessons in particular stand out.

1. Communication and Visibility are Key to DMARC Success

A very successful DMARC program leader who is an Agari customer likes to say, “DMARC is not just a security project. It’s not just a tech project. It’s also an education project.”
That’s because some of the most challenging aspects of a DMARC program reflect decision-making, process, and governance concerns. To navigate those issues, you need a politically savvy, high-EQ, empowered leader who can evangelize and spearhead this complex, cross-functional initiative.

2. Lead the Discussion with Business Value, Not Security Hygiene

Using the right approaches, DMARC has some tangible incentives for line-of-business folks: an average 10% increase in the performance of email marketing campaigns, brand impressions in the form of a BIMI logo, and so on. That positive impact on revenue is a very powerful argument that aligns incentives in a way the usual “eat your vegetables” messages do not.

So lead with it! Being explicit about improvement in email engagement and revenue will give you permission to engage. DMARC is one of the rare times an infosec control lets you focus on win-win business outcomes and recognize an alignment of goals, rather than an unproductive, “you must comply” edict.

DMARC Implementation Best Practices

Beyond leadership best practices for DMARC, what about best practices for implementation? You don’t want to waste the capital and effort you exerted to win buy-in and a charter for your DMARC initiative by taking a reactive approach — but neither should you rely on a reductively linear, step-by-step recipe.

Experience helps a great deal when it comes to building an implementation plan. This is where Agari’s team makes a big impact leading enterprises on an efficient journey to strong DMARC protection. Here are three key lessons you should consider.

1. Get the Right Scope

It might be obvious to you, but be sure to disabuse anyone on your team of the notion that DMARC is a literal thing that can be managed by simply adding the correct records to DNS. Treating DMARC as a DNS function is missing the forest for the trees.

Accordingly, treat email sources as “senders,” conceptual mail streams, not discrete IP addresses or DNS entries. IP addresses can and will change, so don’t rely on them as your angle for managing DMARC.

I’m reminded of something an experienced programmer once told me about maintaining legacy code: “Assume it’s worse than it appears.” Don’t go in thinking you have a known, finite universe of senders and mail streams. Running a DMARC program is an exercise in coming to grips with the actual reality of who and what are sending your email. It’s going to be full of surprises. You’re going to encounter a lot of shadow IT.

Automation is essential to manageability. Reduce friction and avoid tick-tacky “death by a thousand cuts” of tedious change controls, error-prone manual updates to infrastructure and reporting, etc. Use hosted records to automate updating low-level DNS entries to keep them in sync with the business changes you make, for example.

2. Prioritize Your Domains in Stages

It’s absolutely key that you have a clear plan to deploy in phases, with discrete chunks of domains to work on at each stage of your DMARC implementation.

Cutting your team’s teeth on low-volume and inactive domains is a good way to get practical experience and test your processes. Quick, early wins also will build momentum in a way that an endless, “boil the ocean” effort never could.

But you’ll want to get started early — and anticipate some major challenges — with the primary domain associated with corporate email. It’s usually the messiest and most complicated, with all kinds of email streams (corporate email, HR systems, internal status tools, DevOps platforms, and so much more).

And here’s a secret pro-tip Autumn shared: Talk to your legal and finance teams to discover a lot of hidden domains, such as those parked for trademark maintenance, defensive domains, acquisitions, etc. These are all ripe for abuse, because scammers realize a company doesn’t pay them much attention. Many times, it’s only the legal and finance folks who pay the bill every year who think about them. They’ll be key allies for you.

3. Don’t Stop at “p=reject.”

Getting to “p=reject” DMARC enforcement is a huge milestone and a crucial win for enterprises and their customers alike. Take a moment to pat yourself on the back — your team deserves major kudos when you get there.

But “reject” isn’t the end of the line. In many ways, it’s just the beginning of a continuous process. That’s because no enterprise is static. Acquisitions, new lines of business, and new trademark and product introductions — they’re an important and inevitable part of how a business grows. So a DMARC program’s work is never done. You can’t just park it or assume you don’t need to invest in it going forward.
Similarly, every enterprise is investing in new technology, new SaaS providers, and more to improve efficiency and innovate. As a DMARC program leader, you’ll set yourself up for ongoing success (and reduce potential pain) by making DMARC support a required part of a security review process or technical evaluation. Ask each vendor, “will it send email? Will it use my domain?” If yes, get rolling on DMARC as soon as you buy (if not earlier).

And, finally, when we talk about the actual goal of these kinds of programs, it’s not actually “reject.” It’s protecting your customers and business from email attacks that hijack your brand. That means you must also consider issues like look-alike (or “cousin”) domains.

Other than the defensive domains you’ve registered, DMARC per se isn’t going to do anything about that. But monitoring and mitigating those threats needs to be in scope for a program like this in every enterprise.

Another Key Lesson: Don’t Go It Alone

Even with these best practices, enterprise-scale DMARC implementations can get costly and cumbersome fast. The need to tackle DMARC from both a program leadership and technical implementation perspective is why I’m such a believer in Agari Brand ProtectionTM. Agari provides the technical capabilities and workflow management that program leaders need to simplify the complexity of DMARC in the enterprise. This includes addressing needs such as discovering and controlling authorized senders; managing updates with changing environments and ecosystems; tackling tedious, costly, and brittle workflows; or making it easy to communicate with stakeholders and providing them visibility into the progress and tangible results of the DMARC program.

Agari pioneered DMARC deployments for the enterprise, making implementation fast and scalable — even across thousands of sending domains. In fact, more than 40% of the Global 2000 rely on our solutions and know-how to reach maximum DMARC enforcement efficiently. I’m obviously biased, but in my book, that’s the very best practice of all.

For more practical advice on DMARC implementation, watch “5 Keys to DMARC Success: Leadership and Implementation Best Practices from the Pros,” an on-demand webinar from Agari.

Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.