So you’ve heard a lot about this new thing called DMARC, but don’t totally understand what to do? You are at the right place! After all, at Agari we are the DMARC guys. (Someone said this to me at a conference recently. I think it deserves a t-shirt. ☺) If you take a few minutes to read on, we will help you understand why you should publish your business’ first DMARC record.
First, let’s cover a couple of basics. DMARC is a specification developed by some of the world’s largest email senders and receivers who got together to form a group called DMARC.org. It is designed to help stop bad guys from spoofing a real business’ domains and tricking users into giving up personal information, a.k.a phishing. Check out some of the data on the DMARC.org site that shows how awesome the adoption of DMARC and the effectiveness of DMARC have been in its first two years.
If what you already know about DMARC has you interested, but not convinced, then let’s look at why you should publish a DMARC record.
1) It’s easy and safe to get started! A DMARC record is a one line TXT record in the DNS for your domain. Here is what a simple DMARC record might look like for your domain.
v=DMARC1; p=none; fo=1; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com
Start with a policy that allows you to monitor your email with no danger of blocking real email. In the example above, the “p=none” means that email receivers will take no action but will only monitor and report on your email.
You don’t even need to do anything special with SPF or DKIM to start out. The DMARC data you receive can be your guide to getting SPF and DKIM implementations right. The data will be sent to the email address(es) that you specify after “rua=mailto:” in the example record above.
2) There are tools available to help you understand what it all means. The data you receive after publishing a DMARC record can be intimidating or even incomprehensible. Get help! Your business is probably not about being an email authentication expert, but others are.
The Agari PRO service will collect, normalize, and aggregate your DMARC data from all DMARC reporters. You can access your DMARC data in an intuitive web application. No need for you to learn about parsing and analyzing the ugly XML data files that would otherwise pummel you daily from DMARC receivers. Learn more about Agari PRO and start a free trial.
3) You will learn something about your own email. Most businesses, large and small, have legitimate email sent on their behalf from many sources. Employee email, marketing campaigns, newsletters, surveys, receipts, shipping notices, other transaction notices, payroll, recruiting email, and other HR related notices are all common sources of email for any sized organization.
How many of these types of email does your business send? What email servers do they all come from? Do you even know what company sends them? Often specific types of email are outsourced to 3rd party senders that you don’t even know about.
DMARC can help put these puzzle pieces together for you and allow you to see the whole picture.
4) You will learn something about who is trying to spoof you. How many messages spoofing your domain were sent yesterday? How many are there on an average day? How would you even know? You can monitor an abuse address for complaints, but how many recipients of spoof actually complain? How many even know it was a spoof and not really from you?
Time and again we have seen new customers who are shocked by the amount of spoofing of their domains after turning on DMARC and seeing the data. Check out this quote from Twitter in the latest DMARC.org press release:
“DMARC was eye-opening for our security team at Twitter,” said Josh Aberant, Postmaster at Twitter. “We found massive amounts of abuse from both our domains and look alike domains we’d claimed.
Using DMARC to protect these domains and stop forgeries is a core component of how we protect our users.”
5) Adopt an emerging best practice in data security. Email phishing attacks are the most common entry vector for data breaches. You know the breach that is most recently on everyone’s mind? Target, of course. It turns out a phishing attack led to the hackers obtaining the credentials necessary to pull off the data breach.
Don’t leave your business vulnerable. Publishing your first DMARC record is a start. Protect your business and demand that your partners protect theirs as well.
6) Protect your customers from harm and build trust in your brand. Your customers are your business, right? DMARC is public, broadly implemented, and proven successful where implemented. Your customers deserve this from you!
I hope we have convinced you to take the plunge with DMARC. There’s really nothing to lose from trying it out. You’ll certainly learn something, you’ll probably be scared, and you’ll likely want to continue on to the next steps of securing your brand.