{"id":403,"date":"2021-03-31T06:16:42","date_gmt":"2021-03-31T06:16:42","guid":{"rendered":"https:\/\/prodmarc.com\/blog\/?p=403"},"modified":"2022-07-28T06:20:22","modified_gmt":"2022-07-28T06:20:22","slug":"dmarc-deployment-mistakes","status":"publish","type":"post","link":"https:\/\/testblog.prodmarc.com\/index.php\/2021\/03\/31\/dmarc-deployment-mistakes\/","title":{"rendered":"DMARC Deployment Mistakes Companies Make During Implementation"},"content":{"rendered":"\n\n\n<figure class=\"wp-block-image size-large\"><img src=\"http:\/\/localhost\/blogs\/wordpress\/wp-content\/uploads\/2021\/03\/prodmarc-blogimg-6-2.png\" alt=\"\" class=\"wp-image-412\"\/><\/figure>\n\n\n\n<p>Domain-based Message Authentication Reporting &amp; Conformance, or<strong> DMARC<\/strong>, protects an organization&#8217;s trusted domains from email spoofing. Due to the exponential growth of email fraud, and the fact that domain spoofing attacks account for a significant percentage of these attacks, it&#8217;s no wonder that many businesses are looking to introduce DMARC authentication to ensure that emails sent on their behalf are legitimate.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>In fact, the Department of Homeland Security recently required that all civilian government agencies complete the <strong>DMARC implementation<\/strong> within a short timeframe, and urged private companies to do the same.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Many companies have not yet adopted DMARC because it is difficult to enforce and there is a high risk of DMARC problems, such as blocking legitimate email. To better help companies and agencies protect their trusted domains, we have identified five common mistakes made when deploying<strong> DMARC authentication.<\/strong><\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Mistake #1: Don\u2019t account for all legitimate mail streams, including third-party senders<\/strong><\/p>\n\n\n\n<p>Many senders, including third parties, send emails on behalf of other organizations. It can be difficult to recognize all of the legitimate senders, particularly when various departments within a company use third party email senders, such as marketing, sales, and human resources.&nbsp;<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>However, if all legitimate senders are not detected and allowed to send an email on behalf of the company, essential communications may be blocked, causing business disruption. Stakeholders from all related agencies should be consulted and active.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Mistake #2: Let a subdomain inherit the top-level domain\u2019s policy<\/strong><\/p>\n\n\n\n<p>DMARC implementation is usually focused on the top-level domain (ex: acme.com), and organizations can neglect the importance of configuring unique policies for each of their subdomains (ex: mail.acme.com). The DMARC policy that is applied to the top-level domain is immediately applied to subdomains. If all subdomains are separately accounted for, this can result in accidental blocking of legitimate email.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Mistake #3: Don\u2019t have a system or tool in place to parse the data from DMARC records<\/strong><\/p>\n\n\n\n<p>The receiving email service providers&#8217; DMARC aggregate reports provide important details about your email ecosystem, but they are not easy to understand. If you can arrange data in a way that adds meaning, it&#8217;s just data. Furthermore, keeping up with the sheer volume of reports sent and collating all of the data in a timely way can be difficult.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Mistake #4: Don\u2019t understand SPF and DKIM alignment<\/strong><\/p>\n\n\n\n<p><strong>DMARC alignment <\/strong>prevents spoofing of the \u201cheader from\u201d address by:<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<ol><li>Matching the \u201cheader from\u201d domain name with the \u201cMFROM\u201d domain name used during an SPF check, and<\/li><li>Matching the \u201cheader from\u201d domain name with the \u201cd=domain name\u201d in the DKIM signature.<\/li><\/ol>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Proper alignment guarantees that the transmitting identity is authenticated in relation to the domain that it appears to be. Third-party email senders, once again, present additional obstacles. Third-party vendors, for example, typically have their own \u201cMFROM\u201d domain. As a result, they pass SPF but not SPF alignment. DKIM is in the same boat. DKIM can be passed by third-party vendors, but not DKIM alignment.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Mistake #5: Use improper DMARC syntax or content<\/strong><\/p>\n\n\n\n<p>Although there are instructions for generating<strong> DMARC records<\/strong>, they can be confusing at times. Improper formatting and\/or content, as well as incorrect policy values, are also popular. To prevent DMARC issues, keep the following in mind:<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<ul><li>Don\u2019t forget to use \u201c_dmarc.\u201d<\/li><li>If you have multiple reporting addresses \u2013 separate with a comma, don\u2019t include a space after the comma, and ensure the second address starts with MailTo:<\/li><li>Use correct policy values (example: use \u201cnone\u201d instead of \u201cmonitor\u201d)<\/li><li>Check for typos<\/li><li>Missing characters or extra characters<\/li><\/ul>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Mistake #6: Believing in the myth of \u201cpartial enforcement\u201d<\/strong><\/p>\n\n\n\n<p>Unless a percentage is defined with the pct= tag, a <strong>DMARC policy<\/strong> applies to 100% of all mail by default. Unfortunately, if you use p=quarantine and set a percentage lower than 100, some spoofed messages will still get through. There is no such thing as <strong>DMARC compliance<\/strong> that is &#8220;partial.&#8221; While there are ways to use percentages usefully, don\u2019t fall into the trap of thinking you\u2019re fully protected if your pct= tag specifies anything less than 100%.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Mistake #7: Immediately going to a full \u2018Reject\u2019 policy<\/strong><\/p>\n\n\n\n<p>We often see businesses implement DMARC and then instantly switch to a complete &#8220;Reject&#8221; policy. Going to a complete &#8220;Reject&#8221; policy right away is a common blunder because it will almost certainly result in the loss of valid email. We suggest deploying DMARC policies in phases. Begin by tracking your traffic and searching for anomalies in your files, such as unsigned messages or whether you&#8217;re being spied on.&nbsp;<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Adjust your strategy to <strong>dmarc quarantine<\/strong> in small steps until you&#8217;re satisfied with the outcome. Once again, keep an eye on the results, this time in both your spam capture and your DMARC files. Adjust your policy to \u2018Reject&#8217; until you are certain that all of your messages have been signed. Be sure to keep an eye on all reviews to ensure that the results are satisfactory.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Mistake #8: Forgetting about subdomains<\/strong><\/p>\n\n\n\n<p>Subdomains are set to follow the key regulation (e.g. p=reject) by default. Domain owners often concentrate on bringing their main domain to <strong>DMARC compliance<\/strong> while deferring the work required to bring subdomains into enforcement by setting a subdomain policy of &#8220;sp=none.&#8221; Unfortunately, this means that spoofing of certain subdomains is still possible. Phishing emails sent from whatever@example.com won\u2019t get through, but xyzz@mail.example.com will. To be at enforcement, subdomains need to be protected, just like the main organizational domain.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Mistake #9: Omitting a reporting address<\/strong><\/p>\n\n\n\n<p>One of the most critical features of DMARC is that it provides domain owners with aggregate data reports on email authentication status, including passes and failures. You won&#8217;t get this data if you don&#8217;t provide a reporting address (via a rua= tag), and you won&#8217;t know about authentication failures or potential domain impersonation (spoofing) attacks. The reporting address makes it possible for the <strong>DMARC record <\/strong>to specify how to report these failures.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Mistake #10: Misconfigured SPF records<\/strong><\/p>\n\n\n\n<p>The SPF record is a DNS txt record that includes a list of approved senders&#8217; IP addresses, rules referring to other forms of DNS records, and instructions referencing SPF records from other territories. Although there are several ways to set up an SPF record incorrectly, one of the most common errors is creating a record that allows the receiving domain to perform more than 10 domain lookups for each message it receives. If a domain\u2019s SPF record requires too many lookups, some or all emails sent from that domain may not authenticate successfully.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Some domain owners \u201cflatten\u201d their SPF record by pulling all the IP addresses of authorized sending services forward into the primary SPF record to get around this restriction in the standard. Instead of including identical DNS lookups, a flattened SPF record lists a bunch of IP addresses directly. However, this presents a new issue: the need to keep the flattened list of IP addresses updated in case the email-sending service you&#8217;re using adds or eliminates IP addresses.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Conclusion<\/strong><\/p>\n\n\n\n<p>DMARC authentication is a useful method for preventing email theft in organizations. The method of implementing a <strong>DMARC implementation <\/strong>plan is a journey, but the benefits of preventing phishing and email spoofing attacks are numerous.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><a href=\"https:\/\/prodmarc.com\/\">ProDMARC <\/a>is a <strong>DMARC email protection<\/strong> solution that gives companies the visibility, resources, and services they need to easily and confidently incorporate DMARC.<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Domain-based Message Authentication Reporting &amp; Conformance, or DMARC, protects an organization&#8217;s trusted domains from email spoofing. Due to the exponential growth of email fraud, and the fact that domain spoofing attacks account for a significant percentage of these attacks, it&#8217;s no wonder that many businesses are looking to introduce DMARC authentication to ensure that emails [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":883,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_mi_skip_tracking":false},"categories":[1],"tags":[7,16,19,30,46,51],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/posts\/403"}],"collection":[{"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/comments?post=403"}],"version-history":[{"count":1,"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/posts\/403\/revisions"}],"predecessor-version":[{"id":945,"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/posts\/403\/revisions\/945"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/media\/883"}],"wp:attachment":[{"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/media?parent=403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/categories?post=403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/tags?post=403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}