Brand Protection

    DMARC Basics: What It Is and How It Works

    Brand impersonation through email phishing highlights the need for DMARC. To make the case to leadership, cybersecurity teams must clearly communicate how DMARC works.

    by Bob Adams

    Key Points

    • DMARC is an email authentication standard that can help businesses fight the rising threat of brand exploitation, including email phishing attempts and business email compromise attacks.
    • But it’s a complex protocol, the benefits and mechanisms of which are not often well-understood by non-security professionals.
    • Security teams who are able to clearly explain DMARC and its benefits in layman’s terms are more likely to win over unaware stakeholders — which is more and more important as businesses accelerate their adoption of digital technologies.


    In the last year, companies have accelerated the digitization of their customer and supply-chain interactions by as much as three to four years, according to McKinsey — largely due to COVID-19.[1] Of course, greater digitization translates into greater risk. Cybercriminals, aware more people are working and transacting online than ever before, have unleashed a veritable tidal wave of cyberattacks exploiting people’s trust in brands and designed to steal personal information or commit fraud. Organizations must step up efforts to keep customers safe from the threat of online brand impersonation.

    It’s no surprise that Mimecast’s fifth annual State of Email Security survey found that nearly half of respondents (47%) reported an increase in phishing emails that impersonated their brands in the past 12 months. Sixty-three percent experienced increased email phishing in general and 42% felt that misuse of their brands was a growing danger.

    One vital tool often overlooked by organizations is Domain-based Messaging Authentication Reporting and Conformance (DMARC). DMARC plays a key role in mitigating email phishing attempts that spoof legitimate email domains, but DMARC adoption remains low due to its complexity and the fact that the technology and its benefits can be hard to articulate without a cybersecurity background. To get key leadership and stakeholders on board, cybersecurity teams must learn how to clearly communicate DMARC’s importance — especially given the technology’s high efficacy and generally low cost.

    What Is DMARC?

    DMARC is an email validation system designed to detect when someone is using your domain without authorization; it can be used to block delivery of unauthenticated email. It builds on existing SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) protocols by adding a critical reporting element and a blocking mechanism. SPF verifies that the message comes from an IP address permitted by the domain’s records, while DKIM uses an encrypted key to verify whether the email header belongs to the one related to the sender’s domain.

    In simple terms, DMARC analyzes SPF and DKIM results to instruct an inbound mail server what to do with messages that fail these checks. The choices are:

    • Do nothing
    • Quarantine in a spam folder
    • Reject the email outright

    DMARC also sends an informative report on all of the above to the domain owner.

    How Does DMARC Work?

    To use a real-world analogy, imagine an email is a package that needs to be delivered to a recipient at an office park. Upon arrival, there are two security guards checking the delivery person’s credentials independently and simultaneously. The first guard checks the license plate to ensure it matches a verified delivery van. The second guard checks the driver’s identification to ensure the package is coming from the expected delivery person and company. These two checks are likened to inbound SPF and DKIM checks, respectively.

    If the license plate checks out and the driver identification matches, the delivery goes through. However, if one or both checks do not align, DMARC comes into play. What if the license plate checks out but the driver identification doesn’t? The guards must check the DMARC policy established by the delivery company to determine what action to take: reject the delivery, quarantine the package, or take no action. In this example, the guards might quarantine the package while awaiting results of the step described next.

    That is, the guards contact the delivery company to let them know that their delivery van came to their premises and the appropriate verifications were made. The guards provide a report explaining that the identification verification did not pass expectations, and the company is therefore alerted to the possibility that their brand may have been impersonated to deliver a potentially malicious parcel. The delivery company can then identify what went wrong and guide what corrective measures must be put in place to rectify the issue.

    In this example, the expected driver was out sick and a replacement driver filled in, meaning every part of the delivery process was legitimate. The company might then change their DMARC policy so the guards take no action if and when packages are delivered by the substitute driver.

    Why Is DMARC Important?

    Organizations may suffer lasting brand damage and revenue loss if their customers, partners, employees or suppliers are successfully targeted by cybercriminals. And the likelihood of that happening is growing fast as the increasing sophistication of brand impersonation attacks makes it nearly impossible for the attack recipient to discern the legitimacy of the email communication they receive.

    This can create an erosion of brand trust that causes customers to view future legitimate communications as suspicious, thus not opening emails or engaging with their contents. They may even go so far as to create rules in their mailbox to delete all future emails automatically. This could cause irreparable damage for organizations such as online retailers or government departments that rely on the trust of their customers or citizens to deliver services and to function effectively.

    DMARC gives organizations the power to govern their email domains and have visibility over emails that are being sent on their behalf. This allows security teams to quickly discover and halt any unauthorized emails being sent from their domains, protecting customers, employees, partners and suppliers from potential exploitation by cybercriminals. It also gives companies the ability to instruct those receiving their mails to reject the mail if security checks are not aligned.

    The Bottom Line

    With the growing digitization of everyday life, all organizations need to meet their moral obligation to keeping customers safe from exploitation by cybercriminals. But in truth, this is a matter of enlightened self-interest, because keeping their customers safe in this case also means keeping their brands safe. DMARC is an underused but highly effective tool in the fight against email phishing and business email compromise, and can help organizations maintain the trust of their customers, partners and suppliers.

    [1]COVID-19 digital transformation and technology,” McKinsey & Company


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top