DMARC Adoption Could Be Speeding Up Again

The global email authentication standard known as domain-based message authentication, reporting, and conformance (DMARC) was first published by the Internet Engineering Task Force in 2015. It lets email senders and receivers share information about the legitimacy of emails as well as instructions on handling any mail coming from spoofed domains run by cyberattackers. Mimecast has provided a tutorial on how it works.

The rollout of DMARC has plateaued in recent years, due in large part to the time and effort required to adopt and manage the approach. But the convergence of several factors could renew momentum in deploying this technique for strengthening email security and brand protection. Among the catalysts:

• Business email compromise (BEC) and brand spoofing continue unabated. 
• Government and industry are evolving toward zero trust architectures, and DMARC supports zero trust for email.[1]
• Managed services and self-service platforms are becoming more prevalent, to ease implementation.

Update on DMARC: Stalled by Complexity

Following its introduction eight years ago, DMARC’s use grew significantly at first. But Mimecast’s State of Email Security 2023 (SOES 2023) report shows that in recent years it has stalled at under 30% penetration among businesses surveyed. And a Mimecast-sponsored report from the Enterprise Research Group (ESG) finds that DMARC has fallen short of its full potential in another way: It’s used mainly for monitoring and reporting illicit emails but not for setting and enforcing policies on their handling (e.g., to automatically reject them).

Complexity has hindered the uptake of the standard, according to the ESG report. Large companies may have many active and dormant domains, while also using numerous third-party vendors that send marketing and other types of email on their behalf. Smaller companies simply haven’t had enough bandwidth to do the required setup and monitoring of DMARC.

The problem is that “DMARC reporting can generate overwhelming amounts of reports and require significant time reviewing the data to validate which domains are valid and which are invalid or spoofed,” according to the ESG report. “Many organizations bail out of the process due to the amount of time and effort required.” 

Reasons to Press on with the Standard

Still, the impetus for DMARC’s implementation continues to grow stronger. Delving further into some of the catalysts for the standard’s uptake reveals the following:

• Domain Spoofing: DMARC reduces the spoofing that occurs in BEC and on counterfeit websites. In the SOES 2023 survey, 91% of companies say they are being spoofed, and 44% are seeing an increase in this type of fraud.
• Zero Trust: DMARC is considered a key element in zero trust architectures, which are gaining ground around the world. The U.S. government has been driving DMARC’s use by its agencies and contractors for several years, and it is now mandating a zero trust architecture in the coming year. Zero trust strategies are also being mainstreamed in Europe, according to Forrester.[2]
• Managed Services and Self-Service Platforms: Solutions such as Mimecast’s DMARC Analyzer are ironing out some of the complexity of implementing the standard, reducing necessary time and investment. Including record setup wizards and user friendly reports for analysis and policy enforcement, among other aids, some of these solutions can also be integrated across various security tools for even greater ease of use.[3]
• Email Deliverability: DMARC could determine whether your outbound emails are accepted or rejected by email providers, who increasingly view non-standardized email as suspect. DMARC could also be accelerated by the emergence of a related standard called Brand Indicators for Message Identification (BIMI), which allows businesses to display a verified logo in an email message’s subject or address (but only if they’ve already implemented DMARC).[4]

Putting DMARC to Work

Going forward, 88% of SOES 2023 survey respondents say their companies are looking to implement DMARC in the next 12 months to combat email spoofing, and many indicate that they have an active plan underway. Mimecast provides a detailed guide to implementing DMARC, in these three broad areas described by the ESG report:

• Domain Inventory: Just creating an inventory of a company’s own domains can take months for larger companies, including efforts to capture older, overlooked project domains still in use or others inherited during business mergers.
• Vendor Inventory: An additional step involves ensuring coverage of all the third-party vendors authorized to send emails on your company’s behalf, for functions such as customer relationship management.
• DMARC Enforcement: Security teams still struggle to achieve full DMARC enforcement, according to the ESG report. When they have doubts about their inventories, some stop short of enforcement rather than disrupt any part of their business operations because of DMARC-rejected emails.

As a significant change to company IT, implementing DMARC also requires getting commitment from senior management and analyzing options for design, implementation, and ongoing management — ranging from full DIY to self-service platforms to managed services.

While achieving DMARC enforcement is challenging, the ESG report recommends that companies continue to aim for it by exploring solutions now available on the market.

The Bottom Line

DMARC has proved challenging to implement for brand protection and email security. But various forces are aligning to drive it forward in the coming months and years, including the introduction of new solutions as well as the current push for zero trust security architectures. You can access a free trial of Mimecast’s DMARC Analyzer here.

[1] “Using Zero Trust to Battle Email Impersonation Attacks,” TechRadar

[2] “Zero Trust Comes into The Mainstream In Europe,” Forrester

[3] “The Top 7 DMARC Solutions for Business,” Expert Insights

[4] “Boost Email Marketing Results with BIMI,” PracticalEcommerce