The U.S. federal government last year mandated that all agencies implement DMARC policies by October 2018. But...
according to research by cybersecurity vendor Agari, barely more than half of the agencies have fully enforced DMARC policies as of mid-October. How hard is DMARC to implement and what are its benefits for email security?
The implementation of Domain-based Message Authentication, Reporting and Conformance (DMARC) policies relies on two related standards: the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) protocol, both of which defend against spam by authenticating the domains of inbound email.
While DMARC enables the administrative owner of a domain to publish a policy based on either or both standards, implementation presents a challenge, as both protocols can be prone to error when sending emails from a domain and handling email failures.
An organization creating DMARC records for the first time -- as many government agencies are now doing -- will likely encounter both syntax and content issues. Instructions for setting up DMARC records can be confusing, and one of the most common mistakes is the improper use of wildcard domain name system entries. These entries can return both DMARC and non-DMARC records -- such as SPF records and DKIM keys.
Problems can also arise when implementers leave default configurations unchanged. For example, the default DMARC configuration includes the policy p=none, which specifies that no action should be taken if a DMARC check fails. If the default configuration is not updated, DMARC verification may be happening, but any email that fails the tests will not trigger any action.
When configuring DMARC, administrators should review all the suggested solutions at least twice to avoid the confusion caused by visually ambiguous characters. For example, semicolons must be distinguished from colons and commas because the intelligent parser checker isn't available when the administrator enters text incorrectly. Other common problems with DMARC records can be found on the DMARC website.
When DMARC records are properly set up, email security sees benefits, as unauthorized use of the owner's email domain is prevented, email delivery is simplified and domain owners gain visibility into the use of the email domain.
Furthermore, owners should ensure that the server's IP address doesn't change without a mechanism to update all the DMARC and related system configurations.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from Judith Myerson
Kea, an open source DHCP server, was issued a medium security advisory for a flaw that causes memory leakage in version 1.4.0. Discover the ... Continue Reading
ES&S admitted it installed the insecure remote access program pcAnywhere on election management systems. Learn what pcAnywhere is and what this risk ... Continue Reading
Siemens disclosed six Siclock flaws that were found within its central plant clocks. Discover why three flaws have been rated critical and how threat... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.