19 DMARC myths debunked by the experts

October 11, 2023  |  6 min read

Many people don’t instantly understand what DMARC accomplishes or how it protects against fraud, impersonation, and domain spoofing. There are a lot of misunderstandings about DMARC, how email authentication works, and why it’s beneficial for you. But because the same myths keep cropping up, there are some repeating elements that are worth exploring.

But how can you tell what is right from wrong? And how can you be certain that you’re using it properly? Skysnag has you sorted. In this article, we will look at the various DMARC myths and understand why it’s so crucial to your organization.

Myth #1: Because I’ve already completed SPF and DKIM, I don’t need DMARC.

The DMARC (Domain-based Message Authentication, Reporting, and Conformance) standard is a modern email authentication standard that many major email servers use to check outbound and inbound email (Office 365, Google Workspace, and commercial secure email gateways).

Because SPF and/or DKIM do not provide adequate information, none of the gateways described above will only consider these when making delivery decisions. Instead, they’ll consider a variety of metrics such as DMARC, engagement rate, and so on.

Myth #2: I can’t utilize DMARC since I don’t use SPF/DKIM. 

DMARC reports will provide you with the information you need to resolve authentication issues with SPF and DKIM. The initial step in any DMARC project is to set up a monitoring mode (p=none) DMARC record, which will provide visibility into authentication issues with permitted mail streams as well as any shadow IT and/or spoofing activity.

Myth #3: I already have DMARC since I use Office 365 or Google Workspace, which both claim to support it.

O365 and Google Workspace will examine inbound mail for DMARC authentication, but they will not provide DMARC visibility or help you set up DMARC enforcement for your own domains, nor will they be able to verify any cloud or on-premise services that send mail on your behalf.

Myth #4: I can’t use DMARC because of my email setup

DMARC works with any email gateway, whether on-premises or in the cloud. DMARC is independent from the mail flow and is a separate DNS entry from MX records. For customers using Exchange, Office 365, Google Workspace, and all commercial email gateways, Red Sift has successfully implemented DMARC.

Myth #5: DMARC would render my email marketing ineffective.

Wrong again; in reality, once properly validated, DMARC will give your marketing letter the best chance of delivery. The problem is that if you use DMARC without first identifying and authenticating all marketing mail, it may be quarantined or rejected mistakenly if you switch to a DMARC enforcement policy.

Myth #6: Only large mail senders use DMARC.

This is not the case; DMARC applies to all types of businesses, regardless of size! Every firm needs to authenticate its legitimate email and prevent unlawful spoofing and impersonation of its domains, which may both be done by deploying DMARC at the enforcement level.

Myth #7: DMARC is just a security initiative.

DMARC is a cross-functional project that is most quickly and productively completed when IT, Security, Compliance, and Marketing work together. With BIMI, DMARC will not only eliminate malicious spoofing and phishing that uses trusted domains, but it will also identify shadow IT, improve legitimate email delivery, and increase brand impressions!

Myth #8: DMARC with p=none is preferable to no DMARC at all.

True, all DMARC projects should begin with p=none. This is to gain the visibility needed to make authentication adjustments in order to meet DMARC compliance. However, some users wrongly feel that having a DMARC policy of none improves their security posture. This is simply not the case: if your DMARC policy is set to ‘none,’ you may be spoofed just as easily as if you didn’t have a DMARC record at all.

Myth #9 DMARC is a time-consuming, manual process that will take months to finish.

Companies typically discontinue their DMARC projects for two reasons:

  1. Manually changing authentication records in the DNS might take a long time, especially if you have to go through change control every time. SPF flattening and maintenance by hand can be difficult and time-consuming, with no guarantee of success.
  2. Being unsure if all legitimate mail has been recognized and authenticated and will not be quarantined or rejected by a DMARC policy.

Myth #10: Implementing DMARC on my own is simple.

DMARC is, in fact, a free public standard that anyone can use. Every day, Red Sift examines millions of DMARC records and finds that the majority of DIY DMARC projects remain at p=none and never achieve DMARC enforcement. As a result, these businesses are vulnerable to impersonation, spoofing, and phishing assaults.

Myth #11: I’ll never be able to comprehend the perplexing DMARC XML reports.

It should come as no surprise that DMARC reports are not intended to be read by humans! To make sense of the DMARC reports, you’ll need to parse them in some way, then add reporting, alerting, and interpretation.

Myth #12: Personal information is contained in DMARC forensic data.

DMARC forensic reports can help troubleshoot authentication issues with genuine mail streams as well as identify malicious email origins.

Myth #13: There isn’t much of a distinction between DMARC vendors.

Many companies can process DMARC reports on behalf of a domain in a GUI interface, making DMARC monitoring and visibility a commodity these days. A repeatable, safe, easy, and efficient procedure for getting a domain to DMARC enforcement using the newest technologies in hosted email authentication and private data channels, is not a commodity.

Myth #14: SPF is impossible to manage and keep up to date

In today’s cloud email service world, manually managing and keeping an SPF record up to date is undoubtedly a task. However, having the correct equipment on hand makes it a lot easier. The process can be made a lot easier by:

  • All email sources are properly identified and recognizable, so users never have to worry about missing a valid email service, and all sources are clearly labeled and recognizable with our unique sender intelligence.
    Authorized sources can be validated with one click using SPF flattening once senders have been discovered. No longer used services can be uninstalled, and the record can be conveniently controlled in the future.
  • With Dynamic SPF, the SPF record is dynamically flattened and always syntactically accurate, avoiding the SPF 10 lookup restriction.

Myth #15: If I have more than 10 SPF lookups, it won’t affect my mail flow.

While most current email gateways use DMARC for email authentication, there are still a few legacy systems that use SPF as the major factor for mail filtering.
When a receiving mailbox runs an SPF check, exceeding the 10 lookup limit indicates your record is technically broken. Furthermore, if your DMARC record is in enforcement (quarantine or refuse), you risk banning mail from senders who do not use DKIM. If your real email is authenticated successfully with both SPF and DKIM, and the SPF record does not have more than 10 lookups, it will have the best chance of being delivered.

Myth #16: DMARC protection has already been ‘activated.’

A DMARC policy of none and a DMARC record at enforcement are vastly different. The simple act of ‘enabling’ DMARC with a policy of ‘none’ is a necessary first step, but it does nothing to improve your security posture or prevent your domain from impersonation (there are no prizes for simply showing up in this manner!).

You must accomplish a policy of quarantine or reject at a pct=100 to finish your DMARC journey. Otherwise, you’re leaving your domain vulnerable to spoofing and phishing attacks.

Myth #17: My DMARC setup will be too complicated because I have so many domains to secure.

You shouldn’t be put off from launching a DMARC project because you have a large domain portfolio. In reality, having more unprotected domains makes you a soft target if you don’t use DMARC for enforcement, thus ignoring the problem because you have a lot of domains isn’t the solution. Find a domain

Myth #18: DMARC is extremely expensive

At Skysnag, we strive to automate as much as possible, allowing our customers to benefit from our efficiencies and economies of scale.

Create a Skysnag account to generate your DMARC record.

Myth #19: Because I don’t send emails from my own domain, I don’t require DMARC protection.

Non-sending domains can be faked just like sending domains, and they’re more appealing as phishing and impersonation email targets if they use well-known brands, websites, individuals, and companies. The recipients of malicious email from a non-sending domain may not discover or comprehend that from the domain isn’t configured to send email; if the email is compelling enough and appears legitimate, they may mistakenly believe it’s from you, putting your entire brand and reputation at risk.

Final thoughts

That concludes the list of all DMARC myths that have been thoroughly disproven. But don’t just take our word for it; Skysnag’s automated DMARC strengthens protection against phishing and spoofing by confirming that an email message came from the domain it claims to have come from. Skysnag generates DMARC reports for you that aid in investigating potential security problems and identifying potential risks from impersonation attacks. Get started with Skysnag and sign up using this link.

Check your domain's DMARC security compliance

Enforce DMARC, SPF and DKIM in days - not months

Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.