Why DMARC is Worth it for Small Businesses

In a world where expensive security solutions seem to multiply as fast as new cyber threats, it can be difficult for organizations to make good decisions about how to defend their networks without sacrificing operational efficiency, agility, and awareness.  

But Domain-based Message Authentication, Reporting, and Conformance (DMARC), a free-to-use protocol introduced in 2012 to alleviate email abuse, is a free solution available across the globe, and one that small- and medium-sized organizations should implement. 

The protocol allows domain owners to monitor and restrict what systems are allowed to send email on their behalf and how receiving organizations should handle fraudulent messages, which can prevent fraudsters from spoofing a company’s legitimate domain in phishing, fraud, or spam campaigns.  

While the mechanism requires steady and careful upkeep over time, the policy is also far more manageable for IT staff than is commonly thought, according to survey data collected from organizations that have participated in the Global Cyber Alliance’s free DMARC bootcamps. 

In a follow-up survey of small-to-medium-sized businesses that first implemented DMARC after attending a GCA bootcamp, nearly 80% of respondents said that maintaining DMARC policies at enforcement requires less than 10 minutes of work per month on average. 

While more significant investments in time and attention are needed to set up the email authentication protocol—ranging up to 10 hours of work from IT staff per domain—survey respondents said the initial heavy lift yielded long-term benefits above and beyond DMARC, such as improved understanding of a company’s web-based attack surface. 

The respondents to the survey represent IT staff working within the private, government, and nonprofit sectors. All organizations had fewer than 250 employees, with the majority having fewer than 50.  

In focusing on small businesses, the GCA survey does not necessarily apply to large companies or government agencies. Managing DMARC on enterprise-scale IT systems requires more internal IT support or dedicated external vendors. 

But the perception that DMARC is technically difficult to deploy in smaller environments too has scared off many small businesses from implementing DMARC even though it is recognized as a security best-practice by governments and leading corporations

In addition to showing that the costs of implementation are modest for small businesses, the GCA survey underscores the protocol’s value as more than just a mechanism for mitigating traditional security threats.  

When asked to identify the primary benefit of DMARC, half of all respondents to the survey cited the protocol’s value as an anti-fraud tool. By blocking cybercriminals from spoofing an organization’s web domains, DMARC protects a company’s brand from being used in malicious spamming campaigns, the respondents said.    

Along with fraud prevention, DMARC’s other benefits, including improved email deliverability and visibility, routinely receive less attention—something which the GCA survey suggests is a mistake. The protocol should be far more appealing to organizations that understand DMARC offers a broad suite of benefits beyond anti-phishing. 

The survey builds on prior GCA research into the benefits of DMARC. In 2018, GCA estimated that implementing DMARC at enforcement levels cumulatively saved businesses $19 million per year by preventing a common form of business email compromise (BEC) attacks. 

That figure did not include dollar estimates for the other benefits of DMARC. It may also skew low due to the accelerating cost of cybercrime since the report was published. Last Wednesday, for example, the FBI’s Internet Crime Complaint Center released its 2020 annual report, which found a 20% uptick in US cybercrime losses against the prior year.  

Since 2019, GCA has provided free instructional bootcamps to organizations interested in implementing DMARC. The work furthers GCA’s broader mission of improving global cyber hygiene. 

The next GCA Defend & Deliver: DMARC Bootcamp will start on May 5, 2021. Please follow this link to register and learn more about DMARC and how to implement it to protect your domain.

The author, John Sakellariadas, is a Freelance Writer and Researcher Covering Technology and Cybersecurity, as well as a Research Intern for the EU and Africa at the Global Cyber Alliance. You can follow him on Twitter or connect with him on LinkedIn.