DMARC Breaks Email!!!

By Shehzad Mirza

Or does it? DMARC (Domain-based Message Authentication, Reporting and Conformance) has been gaining traction over the past few years. More organizations are becoming aware of it and are willing to at least learn what it is, and some even implement it for their organization. However, many more are still not willing to implement DMARC. Some of their concerns may be true, but each one of them can be overcome with the proper guidance, resources and tools.

Let’s break each one down.

1. DMARC will prevent our email from being delivered, which is vital to our organization.

Yes, it is possible that it may “break” email, which is vital to any organization, if implemented improperly. Yet many large corporations, governments and email providers (Google, Yahoo and Microsoft, for example) have implemented it with success at the highest policy level of Reject.  The key to their success is following the proper guidelines, and taking advantage of the right resources and tools.

What are some best practices when implementing DMARC?

  • Start at policy level None: Don’t jump to Quarantine or Reject from the start. The reason for this is so staff can review reports and make sure that the two protocols (SPF and DKIM) required by DMARC are setup correctly.  Do so for about 2-4 months just to make sure nothing is missing, and then move up to Quarantine or Reject.  Remember, you have full control over the organization’s DMARC record, so you can change it at any time.
  • Use proper syntax. This is critical with creating any type of DNS record.  If a dot or semicolon is missing with the record, things will break.  It is important to use the appropriate SPF/DKIM/DMARC tools for proper syntax for each of those records.  Additionally, there are many free tools which can be used to confirm the accuracy of each record.
  • REVIEW THE REPORTS!!! Why? The reports are what will inform you of what is going on with the messages at the recipient end.  These reports will provide data as to which domains (authorized and unauthorized) are sending messages using the organization’s email domain.  Granted you may receive a large number of reports but that is where you should consider using a DMARC vendor such as Agari, dmarcian, Proofpoint, or ValiMail to assist.  If these organizations are too costly, then there are free tools but there is a trade off in terms of time and resources.

What are some of the available resources and tools?

  • GCA DMARC Setup Guide: Ever since GCA deployed the DMARC Setup Guide, approximately 1,800+ unique domains in some fashion have used the site.  Of those, over 20% have implemented DMARC at some level.  The visitors (and eventual DMARC implementers) of the site range from small to large organizations across various sectors around the globe.
  • This is one of the best sites for information and resources to learn about DMARC.  They also provide links to tools that can be used to review the reports generated.  Many of which are free!
  • DMARC Vendors: It doesn’t hurt to reach out to the DMARC vendors for guidance and information. Request a pilot phase and see what they have to offer.  Many of them do provide capabilities other than DMARC implementation and aggregate report portals.

2. It will take too long or is too difficult to implement DMARC.

This may be true if you are a large organization with multiple subdomains or an email infrastructure that is decentralized.  But the hard part is already done since DMARC uses the existing DNS infrastructure for implementation.  All you need to do is add three DNS TXT records (well, possibly more if you have multiple subdomains).

Again, if you use the right tools (GCA DMARC Setup Guide) and get proper guidance (GCA,, and/or DMARC vendors), you should be able to implement DMARC correctly and without issue at policy level None.

Another challenge is the implementation of DKIM.  Many mail gateway systems or cloud mail providers assist with the implementation of DKIM.  However, if you have your own mail servers, DKIM may be more challenging to implement.  Currently DKIM is not compatible with MS Exchange.  However, there are third party tools which will work with MS Exchange, such as*:

(* Please note, GCA does not recommend or endorse any specific tool).

3. There aren’t enough resources.

This might be true depending on how many subdomains the organization has and the amount of reports received.

When it comes to actual implementation, not many resources are needed.  Possibly a team of 2-3 staff members to collect the information needed, the number and names of  the subdomains, etc..  The amount of time required by the staff will vary from a few days to a few months, depending on the size of the organization. Where resources are needed the most is in the analysis of the reports.  The number of reports depends on the volume of email sent by the organization.  You may receive anywhere from five reports, a few hundred, or even thousands of reports from recipient email servers.  

For some small to mid-size organizations, report analysis may not be too time consuming and the free report analysis tools can be used. However, for some mid to large-size organizations, DMARC vendors may be a better route in order to properly and effectively analyze the larger volume of DMARC reports that will be generated.

Another option is to take advantage of the organization’s Network or Security Operation Center (NOC or SOC), assuming one exists.  The ops center should have the expertise to review the aggregate reports generated.  In fact, some of the data from the reports will be valuable cyber intel for a SOC since any unauthorized senders could be spammers or phishers.  This information can then be added to a blocklist and reports to law enforcement.  Many large organizations do this along with using one of the DMARC vendors.

As you can see, there are various concerns with implementation, but there are solutions for each one. With time, proper guidance and the right tools, DMARC can be set up without “breaking” an organization’s email.  The benefits of DMARC far outweigh the concerns!

The author, Shehzad Mirza, is the Director of Operations (NYC) for the Global Cyber Alliance. You can connect with Shehzad on LinkedIn.