logo
logo
Sign in

Top 10 DMARC Deployment Mistakes

avatar
CyberSecurityExpert
Top 10 DMARC Deployment Mistakes

DMARC, or Domain-based Message Authentication Reporting and Compliance, protects corporate trusted domains against email spoofing. With the proliferation of email scams and the fact that domain spoofing attacks make up a significant portion of these attacks, it is not surprising that many organizations are looking to implement DMARC authentication to validate emails sent on their behalf. We have compiled a list of common DMARC mistakes to avoid to keep your project running smoother and more successful.

Mistakes to avoid when deploying DMARC

It’s no secret that implementing DMARC can be a daunting process. When deploying DMARC, make sure to avoid these 10 common mistakes.

1. DMARC record not found

The first step in deployment is to publish a DMARC record with a policy set to prevent email disruption. You are not only unaware of how your domain is being used outside of your own monitored infrastructure if you do not have a published DMARC record, but you are also not taking advantage of the domain security provided by DMARC. So, after implementing DMARC, make sure to check your DMARC record with a DMARC record checker.

2. More than 10 lookups in your SPF record

When deploying DMARC, having more than 10 lookups in your SPF record is a common mistake. To reduce the load on email receivers, SPF allows up to ten ‘lookups’. If you have more than 10 lookups, items after the 10th lookup may or probably will not be considered valid SPF sources. You'll need to reduce the number of lookups if you have more than ten lookups.

Also, SPF, DKIM and DMARC are standards that ensure your domain is safe and cannot be hacked. So, use an SPF record to protect your email. Moreover, remember to use the SPF record check tool to make sure everything is in order.

3. Not focusing on your alignment

One of the most important aspects of DMARC is ensuring that the address in the ‘From' header is the address of the legitimate sender of the message. DKIM and SPF are used to verify senders. Alignment means that the ‘From’ domain is the same as the sender’s domain. Companies also change their policies when DKIM and/or SPF are still not completely aligned. This is a fairly common mistake.

Changing your policy when DKIM and/or SPF are not fully consistent will likely result in the loss of legitimate email. Make sure DKIM and/or SPF are completely compatible before changing the DMARC strategy.

4. Active domain policy enforcement without monitoring

Having a policy-enforced DMARC record and not reporting for domain monitoring (e.g. v=DMARC1; p=reject) doesn’t give you the visibility you need to keep your domain secure. Understanding who and what is sending email on your behalf needs constant monitoring.

5. Specifying implicit tags

For example, pct=100 is the same as not entering this tag/value pair. The same goes for rf=afrf, aspf=r, adkim=r. Adding these tags and values makes the record look more complex and takes up more space as the TXT record gets longer.

6. Submitting reports to a different domain

Sending reports to a destination with a different domain in the RUA and RUF tags without first setting up an external domain verification record can be risky. Since Google, in particular, does not check this requirement, you can continue to receive reports.

Other DMARC reporters, on the other hand, adhere to the specification’s requirement not to report to destinations where the RUA and RUF tags are different unless the domain in those tags explicitly publishes an external domain check record in DNS. This record informs that sending DMARC reports about other domains to them is normal. This is a mandatory security restriction to avoid DDoS attacks, and Google will most likely check for this requirement in the future.

7. Invalid DMARC syntax

Here are some points to consider when creating DNS records:

  • Remember to separate tag/value pairs with a semicolon;
  • Instead of p=monitor, use p=none. p=monitor was a pre-publication DMARC policy that was displaced by the monitoring policy, p=none;
  • Include mailto: in front of the reporting address;
  • Make sure DNS TXT record has hostname _dmarc;
  • After v=DMARC1, add the p= tag, which is needed at that position;
  • Remove quotes around the DNS TXT record, although some DNS providers accept quotes.

 8. No DKIM signature

DKIM is one of two authentication methods that ensure email compliance with DMARC. You should always sign outgoing messages from direct mail sources with a DKIM signature. Using DKIM will not only make your email DMARC compliant, but it will also help resolve forwarding issues.

9. Immediate transition to a policy of total rejection

We often see companies implement DMARC and then instantly switch to a complete "Reject" policy. Going to a complete "Reject" policy right away is a common mistake because it will almost certainly result in the loss of legitimate email. We suggest deploying DMARC policies in stages.

Start by monitoring your traffic and looking for abnormalities in your reports, such as unsigned messages or messages that have been spoofed. Gradually change your policy to ‘Quarantine’ once you are comfortable with the results. Monitor the results again, this time in both spam cases and DMARC reports.

10. Not configuring parked (inactive) domains

All companies are implementing DMARC for their active domains. Most companies, however, have parked (inactive) domains for which DMARC is not implemented. A common mistake is failing to set up DMARC for parked (or inactive) domains. You may not be sending emails with your parked domains, however, someone can abuse the domain. Since these domains are inactive, they are easy to protect. Thus, don’t overlook these domains in your DMARC implementation project.

Conclusion

DMARC authentication is a valuable tool for preventing email theft in organizations. The DMARC implementation process is a tricky one but the benefits of preventing phishing and email spoofing attacks are numerous. We have listed 10 popular DMARC authentication mistakes to better assist companies in protecting their domains. So, follow these tips to protect your domain with DMARC without deployment mistakes.

 

collect
0
avatar
CyberSecurityExpert
guide
Zupyak is the world’s largest content marketing community, with over 400 000 members and 3 million articles. Explore and get your content discovered.
Read more