DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a security protocol that protects brands from email-based impersonation, phishing, and other malicious attacks. The protocol helps to ensure that only emails from authorized sources reach their intended recipients and helps to identify and block malicious emails that attempt to impersonate the brand. As with any security protocol, DMARC has its limitations. While DMARC is an effective tool for brand protection, there are certain scenarios in which it falls short.
In this blog post, we’ll discuss some of the limitations of DMARC for brand protection.
- DMARC is only as effective as its implementation: DMARC is only as effective as its implementation. If a company does not correctly configure its DMARC settings, it will not effectively protect their brand. This is especially true for domains that use third-party services, such as email marketing campaigns. If the third party does not correctly configure its DMARC settings, the company’s brand will not be protected.
- DMARC does not protect against spoofing: DMARC does not protect against spoofing, which is when an email is sent from an address that appears to be from a legitimate sender but is actually sent from a different address or typosquatting domain for example, if we have DMARC enabled for chase.com however bad actor goes and registers chase.tk (different TLD) or an IDN chasё.com, DMARC does not protect against such domains. Spoofing can be used to send spam or phishing emails, which can lead to damage to a brand’s reputation. Check out our blog post on Typosquat monitoring tools here.
- DMARC cannot detect all malicious activity: DMARC is not a silver bullet and cannot detect all malicious activity. For example, DMARC cannot detect malicious activity from malicious domains that are not associated with a company’s brand. This means that malicious actors can still target a company’s customers and employees, even if DMARC is in place.
- DMARC does not protect against non-email-based attacks: DMARC is not a magic bullet and does not protect a company from non-email-based attacks, such as scams on Social media. An executive who is impersonated on Social media can post any type of phishing link. Also, DMARC does not protect from SMS phishing. These types of attacks can be used to gain access to a company’s systems or data and can have severe repercussions for a company’s brand.
The Difficulty of Managing DMARC
The difficulty of managing DMARC depends on a number of factors, including the complexity of your organization’s email infrastructure and the level of expertise of the person responsible for managing DMARC.
To implement DMARC, you will need to publish a DMARC policy in the DNS records for your domain. This policy specifies which mechanisms are used to authenticate email messages sent from your domain, and what to do if the message fails authentication. Setting up a DMARC policy typically involves the following steps:
- Identify the email authentication mechanisms used by your organization: This could include SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), or both.
- Determine the desired level of enforcement for your DMARC policy: You can choose to quarantine email messages that fail DMARC evaluation, reject them outright, or simply record the failure and take no action.
- Publish your DMARC policy in the DNS records for your domain: This involves creating a TXT record that includes the DMARC policy, and adding it to the DNS records for your domain.
- Monitor DMARC reports: DMARC includes a reporting mechanism that allows senders to receive reports from recipient email servers about the handling of email messages that claim to be from their domain. These reports can be used to monitor the effectiveness of the DMARC policy and identify any issues that need to be addressed.
Overall, managing DMARC can require some technical expertise and may require a significant time investment, depending on the complexity of your organization’s email infrastructure.
Real-World DMARC Failures
According to a report published by Valimail in 2020, the overall DMARC adoption rate among domains worldwide was 60.3%, and the percentage of email traffic covered by DMARC policies was 63.5%. This indicates that a significant portion of email traffic is protected by DMARC. However, it is important to note that DMARC is not a perfect solution, and it is still possible for malicious actors to bypass DMARC checks and send fraudulent emails.
Here are a few examples of real-world DMARC failures:
- In 2017, the personal email accounts of several high-profile individuals, including former U.S. President Barack Obama and former U.S. Secretary of State Colin Powell, were hacked and used to send phishing emails to other individuals. The emails appeared to be from the hacked individuals, but were actually sent by malicious actors using domains that had a DMARC policy set to “none”, allowing them to bypass DMARC checks.
- In 2018, the Marriott hotel chain suffered a data breach in which the personal information of up to 500 million guests was exposed. The attackers used a technique called “spoofing” to send phishing emails to Marriott employees that appeared to be from trusted sources, such as the company’s CEO. The emails were sent using domains that were legitimate subdomains of Marriott’s domain, allowing them to bypass DMARC checks.
- In 2019, the Twitter accounts of several high-profile individuals, including former U.S. President Barack Obama, former U.S. Vice President Joe Biden, and tech mogul Elon Musk, were hacked and used to send fraudulent tweets offering to give away cryptocurrency. The tweets appeared to be from the hacked individuals but were actually sent by malicious actors using domains that were not covered by DMARC policies, allowing them to bypass DMARC checks.
The Need for Digital Risk Protection
In conclusion, DMARC is an effective tool for brand protection, but it is not a silver bullet. Companies should be aware of its limitations and take additional steps to protect their brand from malicious activity. This includes implementing additional security solutions such as fully automated digital risk protection solution which can not detect and monitor impersonation but does remediation by takedown websites, fake executive profiles, fake mobile apps, and other types of scams on the web, social media, mobile app stores, and the dark web.
A digital risk protection solution can help you stay ahead of the curve regarding emerging threats. As technology evolves and new threats arise, you need to be able to respond quickly and effectively. With a digital risk protection solution, you can monitor your digital assets for any changes or anomalies that could indicate a security risk. This can help you stay one step ahead of the game and ensure that your assets remain secure. Another benefit of a digital risk protection solution is that it can help you reduce the cost of responding to threats. By monitoring your digital assets in real-time, you can quickly identify any potential threats and take steps to mitigate them. This can help you save money by avoiding hiring external consultants or investing in expensive security solutions.
Get a free, fully customized demo from Bolster.