Domain-based Message Authentication, Reporting & Conformance (DMARC), is an email authentication, policy, and reporting protocol. It builds on the SPF and DKIM protocols to improve and monitor protection of the domain from fraudulent email.
To select a suitable DMARC solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Scott Croskey, Global CISO, Cipher
DMARC solutions add security to business email systems by ensuring DKIM and SPF standards are in place to mitigate risks from fraudulent use. They evaluate every inbound and outbound email for these security standards and can integrate with Secure Email Gateway solutions to block malicious activity.
When evaluating DMARC solutions, you should focus on vendors that employ the following features:
- Cloud-based (SaaS) deployment. This eases the burden on company IT teams, allowing for the solution to be easily deployed and configured with out-of-the-box security policies.
- Domain diagnosis. This will ensure your business is aware of any domain vulnerabilities, many of which can be common for SMBs to overlook and consequently increase their risk.
- User friendly dashboard. This will ensure your team does not need a lot of time to understand how the solution works.
For larger companies, you should also consider vendors that employ:
- Forensic reporting. This allows for detailed information on why emails may have failed DMARC checks and allow for additional system tuning.
- DNS record change tracking. This allows for additional insight into malicious activity.
- API integration. Large companies typically have internal dashboards and workflows. API Integration with the DMARC solution will allow you to tailor the solution into your enterprise reporting & analysis tools.
Len Shneyder, VP of Industry Relations, Twilio
A company that wants to achieve DMARC enforcement should consider a walk, crawl, run approach as DMARC doesn’t work unless you have published SPF and DKIM. DMARC essentially communicates a policy and set of prescriptive actions to a receiving domain on what to do if an email fails an SPF or DKIM check.
If a company has the technical aptitude to publish SPF and DKIM then it stands to reason they can publish one more policy. However, when a sophisticated enterprise begins working with third parties that want to send emails on behalf of that company, in the form of an email service provider for marketing communications, a ticketing system, an internal HR tool, or all of the above and more, then the DMARC policy becomes much more complicated and a company might consider turning to one of a small field of companies that have automated the process of reaching enforcement.
The question of which provider to choose really rests around the complexity and breath of your company. Different providers will be suited to different sized companies—however, if you haven’t reached that scale yet, then there’s no reason why you couldn’t do it yourself.
Chuck Swenberg, SVP Strategy, Red Sift
It used to be that interpreting DMARC reports, which provide a view of mail authentication results of every IP that’s being used to send mail on behalf of your domain, was sufficient. However, these traditional stand-alone DMARC tools linked with professional services are increasingly no longer cost effective or time sensitive to organization needs. The continuing rise of email threat volumes and increased diversification and enablement of app/cloud services for email require strong diligence in selecting a solution. DMARC should also no longer be viewed just as a one-time configuration project.
- Accuracy: What is the level of completeness for classification of IP’s from the reports of mail senders and subsequent categorization that represent the mail that belongs to my organization?
- Insight: Is there a clear, defined workflow process in the solution? The best solutions will have easy to use, staged flows that display recommended actions and contextual guides from the data presented to explain misconfigurations in email authentication. Data needs to be actionable with insight.
- Automation: How long will it take my organization to implement DMARC? How can I effectively maintain a DMARC enforcement policy on an ongoing basis? More recent platform solutions for DMARC use hosted management for SPF authentication which allows for expansion past the 10 SPF lookup limit and provides a far more reliable and resilient email delivery. Ongoing automated monitoring with alerting which recognizes changes in authentication, identifies new sources and takes immediate action should be requirements.
- Value: How much should I budget and how can total cost and time resources be efficiently managed? Look for automation of defined actions and applying expertise to specifically implement those actions in the best manner for the organization. This will help limit the dependency on external professional services and result in significantly lower costs over time.
Automation is fundamental to selecting a solution that significantly lowers cost and reduces time to implementation of DMARC and ensures the more reliable approach to email handling and delivery of your organization’s email.
Anna Ward, Head of Deliverability, Postmark
A good DMARC solution should clearly identify high-risk sources, forwarders, and common email providers. It should provide actionable next steps in mitigating risk and minimize details until you actually need them. Avoid solutions that don’t show all authentication domains, differentiating between just passing SPF/DKIM and alignment.
Remember that adding a DMARC solution is essentially just adding a reporting address to your policy, so try on a few (or several at a time) if you’re curious about any provider.
How hands-on do you want to be? Will you regularly access the data via API, the app/website, email digests, etc? For sharing the data with multiple people/teams, look for secure multi-user management. Want a human guiding your progress, or do you prefer the ability to self-serve? Finally consider whether you’d point your DNS records to your DMARC provider, as some will include/exclude sending sources for you.
- If you have many low-sending domains, look for tiered pricing by volume. Some are even free below a certain volume.
- If you have a higher-volume domain, look for pricing per monitored domain. This also limits price fluctuations, especially if there’s a surge in unauthorized mail.
- With both pricing options, check whether they include monitoring for subdomains inheriting the DMARC policy from the main domain.