How to Overcome the Top 3 Challenges of DMARC Implementation

Posted by Matt Moorehead on

As the DMARC (Domain-based Authentication Reporting and Conformance) standard continues to mature, more organizations than ever before are implementing it to protect their customers and their brand from email fraud.

DMARC helps ensure that legitimate email is properly authenticating against established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards and that fraudulent activity appearing to come from domains under a brand’s control is blocked.

With DMARC, senders can instruct email providers on how to handle unauthenticated mail via a DMARC policy. Senders can either:

  • Monitor all mail to understand their brand’s email ecosystem without impacting the delivery of messages that fail DMARC
  • Quarantine messages that fail DMARC (e.g., move them to the spam folder)
  • Reject messages that fail DMARC (e.g., never deliver the message to the inbox)

But implementing DMARC can get complicated quickly. Here are the three most common DMARC implementation challenges and ways to mitigate them.

Challenge 1: Identifying the right resources
Email security is not the responsibility of a single person or team. From my experience working with some of the world’s largest brands, I have found that the most effective DMARC implementations involve a combination of teams and resources.

They can include security, fraud prevention, marketing, incident response, DNS administrators, mailstream owners, vendors, and others. The more teams you can identify up front who have a vested interest in email security, the better you will position your organization for success.

Ask around and you might be surprised to learn how many of your colleagues are, in fact, dependent on email security and the benefits it provides.

Challenge 2: Getting visibility into your email ecosystem
Enterprise organizations often have complex email ecosystems, which makes it difficult to both uncover authentication issues and understand who is sending legitimate email on behalf of the brand.

Setting a DMARC policy to “monitor” mode grants the visibility you need to make informed policy decisions. You will learn what domains and vendors are sending mail on your behalf, which messages are authenticating, which messages are not, and why.

how_dmarc_works_w1024

DMARC’s “monitor” mode simply instructs email providers like Gmail to send your company information on what is happening to your email. It does not instruct email providers to block messages that fail DMARC or send those messages to the spam folder.

To begin receiving information about how your email is sending and authenticating, create TXT records in your DNS for your domains. Then, consume and parse the DMARC reports. Making sense of these reports on your own can be a challenge, which is why many companies choose to work with a vendor like Return Path. When you have this email data, you can identify authentication problems to address.

Challenge 3: Knowing when to enforce policy
Determining exactly when you should move from DMARC’s “monitoring” mode to “reject” (when all emails failing DMARC get blocked from the inbox) is a common question.

The answer? It depends on the domain. All email is not created equal. Promotional mailings, transactional emails, regulatory emails, and others need to be segmented and handled differently. Conduct an audit of your domains, prioritize them, and assess risk, both in terms of security and deliverability.

If you are working with a vendor, they can help. At Return Path, for example, we offer a dashboard which analyzes authentication results for each domain, suggests authentication action items, and notifies users when their domains are ready for policy.

The benefits DMARC provides—granting visibility into your email program and protecting your customers and your brand from email fraud—far surpass the initial challenges of implementation. It is worth the upfront effort.

Ready to implement DMARC? Download our Getting Started with DMARC guide.


Popular this Month

 3 Trends Impacting Email: Persistent Fraud, Part 2

3 Trends Impacting Email: Persistent Fraud, Part 2

In part one of this three-part series, I examined the evolving landscape of...

Read More

 The Top 16 Topics of 2016

The Top 16 Topics of 2016

2017 is finally here! But before we focus on the year ahead, we wanted to...

Read More

 Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Cyberattacks against your brand can be very damaging and costly to both your...

Read More

Author Image

About Matt Moorehead

Matt Moorehead is a Strategic Project Manager for Return Path's Email Fraud Protection team. He works closely with top brands on technical and strategic initiatives to eliminate the impact of email fraud. In his spare time you can find Matt on the golf course or the ski slopes. Connect with him on LinkedIn @Matt Moorehead, IMBA, or @mattmooreheadRP on Twitter.

Author Archive

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.