DMARC 5 years have past – Where are we now and should you jump on the train

We are now 5 years in sinds the draft version of DMARC in 31-03-2013. Where is DMARC standing today and what is the adaptation rate?

In part 1-3 of the anti-spam countermeasures explained we talked about the more common and known protocols to fight phishing and spam. As there were still a lot of gaps in successfully fighting phishing and spam attacks the DMARC consortium was raised in 2012 and released there DMARC as RFC 7489 in April 2014. Ever sins it`s release the consortium is trying to win popularity for this standard. If we take a look at the numbers, we can see that during the draft phases and the early release the adaptation rate was fairly low. It was not until early 2016 that the protocol started to get more support. In 2016 we saw a total of 60K registered dmarc DNS records which is still a very low implementation rate compared to 24M SPF records. This is only 0.25 %. But wait the consortium seems to reach people together with the cloud strategy of the major players DMARC adaptation is growing faster than ever with over 400% growth in the last year its adaptation currently reaches almost quarter million records.

Sind’s the release of the protocol and the real adaptation start early 2016 we see that the registered records vs the removed records is 80+ %. This means that the standard is being used by spammers to get positive points in anti-spam filters. Even today 12% of all new registered record disappears again after a month!

Why do I need DMARC?

DMARC is born out of the fact that spammers and phishing attacks spoof domains. SPF and DKIM protect the envelope from but not the display from header. And it is this display from header that the end user is seeing and determines if the mail is from a legitimate source. The envelope from used by SPF and DKIM is only validated and used by the technical stuff. This is where DMARC comes in to play because it also uses the display from to validate and align against de envelope from or DKIM signing header. Only if 1 of the 2 fully match “SPF + Alignment” or “DKIM + Alignment” will an email pass DMARC check. On top of that a report will be created containing the results of the authentication mechanisms of every mail and send back to the domain owner at intervals.

Microsoft has introduce new antiphising capabilities to office 365. These capabilities relay heavy on the use of DMARC, DKIM and SPF. So basically when customer start to enable these new capabilities your email might get junked if you don`t act now.

So to summarize the justification to start a DMARC project:

  • Protect employees & customers:
    • Protect company from brand name reputational damage
    • Protect employees and customers from Phishing attacks
    • Protect employees and customers from Data theft
    • Protect employees and customers from impersonation
    • Office 365 can tag unauthenticated mail as junk
  • Gain control:
    • Gain insight into numbers, size and targets
    • Gain control over trusted 3rd party email delegation
    • Make your domains less appealing for malicious intent

I have read the technical stuff but where the heck do I start my implementation?

As DMARC is not a pure technical solution you should also approach a business solution. 3rd parties, inhouse application parties, mail administrators, project managers, DNS teams etc. are all involved. At first starting a project like DMARC might seem a project without end, growing out of portion really fast. To tackle this, I have created a functional implementation guide that can help you through all the phases of implementation.  This implementation guide has already helped multiple large enterprise customers overcome the problems of a DMARC implementation project.

You can find part 1 of the implementation guide here on TechNet

As the guide is still work in progress and more detail and parts will follow you should check up regularly for new updated content of the guide.



Leave a Reply

Your email address will not be published. Required fields are marked *