Email Security Blog

DMARC: 3 Best Practices for Capturing Next-Level Business Value

Brent Sleeper December 18, 2020 DMARC

Implementing DMARC at its highest enforcement level is critically important to security and messaging operations. But it’s also just the first step to realizing the full value of your DMARC program.

To understand why, let’s start with the basics. DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, can stop fraudsters from spoofing your domain and impersonating your brand in email scams targeting your employees, customers, suppliers, and the general public.

By achieving strong DMARC enforcement—often described in shorthand “p=reject” or a “reject policy”—businesses can put an end to this kind of “brandjacking” virtually overnight. There simply isn’t a more effective or efficient way to protect against domain spoofing and email-based brand impersonation.

But beyond the immediate benefits of strong email authentication, there’s an additional quality that distinguishes top DMARC leaders in the enterprise space. They approach their efforts as opportunities to deliver ongoing value to their organizations. For those seeking to maximize positive business impact, “p=reject” is not the end of the road—it’s just one (big) step toward amplifying the potential of your DMARC program.

Sudden Impact: 3 Keys to Higher ROI

The experiences of enterprises that approach DMARC with this perspective show there are three best practices other organizations would be wise to adopt. Each builds upon a foundation of strong, reject-level enforcement to operationalize practices that deliver ongoing value and maximize the return from investing in a DMARC program.

1. Expand Your Perspective to Address the Totality of Email Brand Protection

DMARC sometimes is viewed as a binary control: You’re either blocking email attacks that spoof your domain, or you’re not. And while it’s certainly true that strong DMARC enforcement is an essential and highly effective solution to the problem of domain spoofing, DMARC by itself won’t help with closely related types of trickery.

Consider lookalike or “cousin” domains—a threat that goes unaddressed by the DMARC standard. A credential phishing attack that leverages a purposeful typo in a domain name could be nearly as devastating to your customers and brand as one that relies on a literal domain spoof.

Although the underlying mechanism may be technically distinct, lookalike domains are part and parcel with the same scammers’ playbooks. That’s why stopping these types of brand impersonation should be included in the mission of your DMARC program. Unfortunately, discovering and shutting down those attacks one-by-one can be a frustrating and ultimately ineffective game of whack-a-mole.

That’s why enterprises that reap the most from their email brand protection programs have figured out that they must act on and report threat data about these other attacks alongside standard DMARC domain spoofing defenses. The best even automate processes such as domain take-down to better operationalize and improve their ability to defend customers and other businesses from these attacks.

2. Integrate DMARC Into Your Ongoing Security Operations

DMARC presents an interesting governance challenge. As a technology and implementation endeavor, it doesn’t fit neatly into a single box. DMARC builds on the messaging infrastructure of mail servers and other systems typically managed by IT messaging operations and line-of-business operations teams. And just as certainly, DMARC reporting is an important source of threat data and a security control that is essential to the mission of security teams.

So it’s completely normal that in many organizations, responsibility for DMARC straddles the line between messaging and security operations. And the truth is, either team can implement and manage DMARC programs effectively.

But wherever a DMARC program lives within an organization, its impact is key to maximizing the benefit throughout the enterprise. That means treating it not only as a control (though it is an effective one), but also as an ongoing source of intelligence.

While it’s tempting to imagine that intelligence comes “for free” in the reporting defined by the DMARC standard itself, data only becomes intelligence if it’s accessible and actionable. So it’s important that a DMARC program supports that security mission by alerting to threat spikes, or providing detailed forensic data for incident investigation.

Enterprises that have fully integrated DMARC into their security mission go even further. DMARC is typically thought of as a control on outbound messages. But reporting on the authentication status of inbound messages provides critical visibility into incoming impersonation threats to protect employees and support the mission of your security team. And integrating DMARC threat alerts—outbound or inbound—into a security team’s SOAR or SIEM both improves visibility into threats and the effectiveness of a response.

3. Build on DMARC Enforcement to Improve Customer Experience and Trust

By itself, strong DMARC enforcement reduces business risk and reinforces customer trust. But the enterprises that maximize the ongoing value of their DMARC investment go further than passive enforcement. They build on the foundation of strong DMARC enforcement to improve their customers’ email experience—and even reap tangible benefits such as increased brand visibility.

BIMI (Brand Indicators for Message Identification) is a standard developed by an industry coalition of major email and security companies. It provides a mechanism for a verified sender’s official logo to appear alongside email messages in space controlled by the email client, typically where user avatars or initials appear. We expect Gmail and other major mailbox providers to roll it out at an expanded scale throughout 2021.

BIMI requires DMARC enforcement, leveraging the incentive of valuable brand impressions to help businesses secure their sending domains from spoofing attacks. BIMI also introduces more control over the use of a brand in email by ensuring that only approved domains are allowed to have the verified logo shown alongside an email message.

Consider how much value there is in the integrity of a brand mark. BIMI is an opportunity to get a brand logo in front of a customer and provides an opportunity for a message to more clearly stand out. Just as importantly, it reinforces trust that an email message is authentic. Both of these attributes contribute to a better customer experience—and they’re good examples of how messaging and security teams can deliver more value to the business with their DMARC program.

Your Mission: So Much More Than p=reject

Whether you’ve achieved “p=reject,” or are still working to reach that important milestone, it’s high-impact work. But as we’ve seen, DMARC isn’t something to “set and forget.”

Some of the most significant benefit comes when you integrate your DMARC controls into a larger set of processes that deliver ongoing value. And this focus on optimizing business impact from a DMARC program is an important part of what distinguishes the product philosophy behind Agari Brand Protection™ from many other solutions on the market.

Agari pioneered DMARC deployment at enterprise scale, making implementation simpler, more scalable, and lower risk. Today, Agari Brand Protection builds on that deep experience to include capabilities such as business-focused performance metrics, inbound DMARC visibility, sophisticated API integrations, look-alike domain protection, and BIMI enablement that help enterprises capture more business value from their DMARC initiative.

From Here to DMARC-able

Today, more than 40% of the Global 2000 rely on Agari solutions and know-how to support their DMARC missions.To understand why, and to gain additional expert advice for ensuring your DMARC program is successful, read our recent post, “5 Keys to DMARC Success: Leadership and Implementation Best Practices from the Pros.” It has great insights that will help your teams develop both the technical and leadership proficiencies that distinguish the most impactful enterprise DMARC initiatives.

As powerful as it is, DMARC implementation isn’t a finite project or event. It’s an ongoing mode of operation. And it’s not just about protecting your customer base and your brand reputation. It’s about growing and enhancing them. These three best practices from DMARC leaders can help you do just that.

Learn more about capturing ongoing value from your DMARC investment in an on-demand webinar titled, “Next-Level DMARC” from Agari.

Agari Blog Image

May 5, 2021 Michael Paiko

5.8B Malicious Emails Spoofed Domains; 76% of Fortune 500 Still at Risk: DMARC Results from Agari

Global adoption of Domain-based Messaging, Reporting & Conformance (DMARC) topped 10.7 million email domains worldwide…

Agari Blog Image

April 27, 2021 Michael Paiko

What Is SPF and How Does It Work?

We're going to delve into what SPF for email is, how to implement it, the…

Agari Blog Image

April 20, 2021 Autumn Tyr-Salvia

What is DMARC? Effects on Email Spoofing & Deliverability

Wondering how DMARC affects email? Here’s a comprehensive guide explaining what DMARC is, how it…

Agari Blog Image

February 11, 2021 Crane Hassold

Cosmic Lynx Returns in 2021 with Updated Tricks

In July 2020, we published a report on a Russian-based BEC group we called Cosmic…

Agari Blog Image

February 9, 2021 Michael Paiko

DMARC 101 (Part II) – DMARC Fills the Holes Left by SPF and DKIM

You can catch up on Part 1 here. As we discussed in part one of…

mobile image