DMARC: Pros and Cons of Implementing
You may be asking yourself “What’s all this I’m hearing about DMARC these days?” Today we’ll be talking about weighing the pros and cons of this technology and how secure it really is. Before we get into the pros and cons, let’s start off at a high level by defining what it is.
According to dmarc.org, Domain-based Message Authentication, Reporting & Conformance (or simply, DMARC) “is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.”
The Pros of DMARC
Just like any newer or emerging policy within the realm of Cyber Security they generally have decent pros that we can leverage if we wish to implement it. Furthermore, how can we say “No” to having less fraudulent email reach your perimeter?
- Helpful with securing email systems from obvious threats such as ransomware, phishing attacks, and spam.
- May reject bad emails prior to reaching the perimeter of the network.
- Makes it easy to identify if others are spoofing your email mail domain.
- The majority of malicious actors do not implement SPF, DKIM or DMARC.
The Cons of DMARC
We discussed the pros, but what about the cons? Just a pre-warning! This is going to be a lengthy one!
- The adoption rate is critical to the success of this technology. Most large companies have not adopted this technology. A report by Agari mentioned, “92 percent of all Fortune 500 companies have left their customers and business partners unprotected from phishing and other forms of email attacks that impersonate their corporate email domain.”
- The technology has zero security if your mail server is compromised. (Remember: Office 365?)
- Can be confusing to email administrators to implement if not familiar with the technology.
- It’s a band-aid to the SMTP protocol and will not be a cure for email security related problems.
- Going from a quarantine to reject mode is risky for businesses that spoof email on behalf of themselves.
- The leader of Gartner’s Email Security Gateway’s Magic Quadrant, namely Proofpoint, Inc., does not implement DMARC at a reject level at the time of writing of this article. Yet the company upsells their product to provide paid professional services to help implement reject mode for your business. Proofpoint mentions that they are “living the same world as their customers.”
I believe it’s important for everyone to understand the pros and cons before diving head first into a project. I highly recommend that DMARC is implemented in conjunction with your SPF and DKIM records to help fight against malicious email. Even more critical to this is to spend time with your end-users. Providing education on things to look out for can go a long way. Afterall, they are your last line of defense.
With that said, DMARC is nothing more than a band-aid to an old protocol and won’t last forever. It only took a little while before malicious actors started to secure their websites with valid SSL certificates. I believe we will see less and less malicious actors spoofing email addresses. Then, it won’t be long before they spend a little extra effort with implementing SPF and DKIM records. When that happens, we’ll be back to square one.