Concerns of SMBs on DMARC

DMARC (domain-based message authentication, reporting and conformance) has been gaining traction over the past couple of years. Organisation familiarising themselves with what DMARC is and its benefits is increasing. Companies are implementing it on multiple occasions after learning about it. However, not every organisation is keen on using DMARC. There are still concerns over some of the areas or ways followed by DMARC procedures.

Let’s discuss some of the concerns

1. Will DMARC prevent the email delivery? which is vital to every organisation.
   DMARC, if implemented with loops or improperly might lead to breaks in the mail, whilst many large corporations, governments and email providers (Google, Yahoo and Microsoft, for example) have implemented it with success at the highest policy level of Reject. The important part of the implementation process is to follow proper guidelines, and taking advantage of the right resources and tools.

What are some best practices when implementing DMARC?

1. Start at policy level None: This is a crucial step to not jump to Quarantine or Reject from the start. This allows analyst to review reports and make sure that the two protocols (SPF and DKIM) required by DMARC are setup correctly. This should be done for about 2-4 months just to make sure nothing is missing, and then move up to Quarantine or Reject. The good part is, the organization has full control over the it’s DMARC record, so you can change it at any time.
2. Use proper syntax: Like any code, this is critical with creating any type of DNS record. If a dot or semicolon is missing with the record, things will break.  It is important to use the appropriate SPF/DKIM/DMARC tools for proper syntax for each of those records.
3. Continuous monitoring of the reports: Reports will inform you of the reality of messages at the recipient end. These reports will provide data as to which domains (authorized and unauthorized) are sending messages using the organization’s email domain. This is a no doubt some effort and you can consider using a DMARC vendor such as Agari, dmarcian, Proofpoint, or ValiMail to assist. If these organizations are too costly, then there are free tools but there is a trade off in terms of time and resources.

What are some of the available resources and tools?

1. GCA DMARC Setup Guide: Ever since GCA deployed the DMARC Setup Guide, approximately 1,800+ unique domains in some fashion have used the site. Of those, over 20% have implemented DMARC at some level. The visitors (and eventual DMARC implementers) of the site range from small to large organizations across various sectors around the globe.
2. org: This site is full of information and resources to learn about DMARC. It also provide links to tools that can be used to review the reports generated. Many of which are free!
3. DMARC Vendors: DMARC vendors are the best source of information and hence you should reach out to a reputed company to request for a Pilot.

2. Time required for implementation will be too long

DMARC uses the existing DNS infrastructure for implementation, this reduces half the hassle but implementation still is time taking process for a large organization with multiple subdomains or an email infrastructure that is decentralized. All you need to do is add three DNS TXT records (well, possibly more if you have multiple subdomains).

Again, if you use the right tools (GCA DMARC Setup Guide) and get proper guidance (GCA, DMARC.org, and/or DMARC vendors), you should be able to implement DMARC correctly and without issue at policy level None.

Implementation of DKIM is another task, many mail gateway systems or cloud mail providers assist with the implementation of DKIM. However, if you have your own mail servers, DKIM may be more challenging to implement.  Currently DKIM is not compatible with MS Exchange.  However, there are third party tools which will work with MS Exchange, such as*:

Open source option, DKIM-Exchange

There is also this site for instructions on how to setup DKIM using a different tool

And finally this one

(* Please note, GCA does not recommend or endorse any specific tool).

3. There aren’t enough resources.

Outsourcing the implementation and putting a 2-3 people team should be enough to get this going. Going through the reports is the most tedious job in the process and depending on the domain the organization uses, the reports quantity would vary. The analyst would spend more time in the initially period say couple of weeks to couple of months before the DMARC can work without periodic look.

For some small to mid-size organizations, report analysis may not be too time consuming and the free report analysis tools can be used. However, for some mid to large-size organizations, DMARC vendors may be a better route in order to properly and effectively analyze the larger volume of DMARC reports that will be generated.

Clearly DMARC benefits far outweigh the hassles. In fact if done via a SOC, these reports provide additional insights into the spamming/phishing activities.

Experts at Logix Infosecurity understand the implementation very well and crucial part of figuring out the implementation in accordance to the organizations needs is at priority for Logix.