Skip to content

Why Every Small Business Needs DMARC for Email Security

the secret sauce for safer emailing

Barrett Dilger

Email Security

We all know that communication is essential in business. While other forms have emerged, email still stands as the dominant communication method for most industries.

Unfortunately, we are also all aware of how much junk gets sent in emails. Even setting aside all the unwanted newsletters you know you should have clicked unsubscribe to a long time ago, there is so much spam, solicitations, and even threats like phishing and malware emails being sent – every single minute.

Estimates show that 90% of cyber-attacks are phishing emails, and those total around 3.4 Billion emails per day.

That’s a lot of threats hitting our inboxes. While the number is staggering, it’s not really surprising if you think of what the average email inbox looks like. Every business needs email security. I’d go so far as to say that every single person needs email security.

We all know threats are an issue, but many don’t think of what they can do about it. Most people don’t even know what the term email security entails. To be fair, it entails a lot.

The basics of email security shouldn’t be a mystery though. That’s what I want to cover here – the basics.

One of which is DMARC.  Very few companies set their DMARC policy correctly which puts them at risk. If you do business with them then it puts your company at risk as well.

Let me be clear. I know you don’t care about the details of how your email works and is secured. I do need to discuss the components of it though, so you understand when you don’t have things set properly you understand how that impacts you.

Plus, this is such a common issue I’m betting your email is probably at risk. Want to verify? Just head over to this website MXtoolbox.com. Enter your domain into the field and click the “MX Lookup” button. Give it a minute and it’ll spit out results to you regarding your SPF, DKIM, and DMARC. If you’ve got 3 green checkmarks then stop reading. You’re good. If you have any yellow or red alerts, then let’s discuss this more so you can address it.

Let’s break down the main parts of email security so you understand how it works.

The triad of email security are SPF, DKIM, and DMARC.

Did you know that when email was first created it had zero security features? None.

Once it started being used mainstream, the lack of security became a big issue really fast. These are the security features that were implemented, and what they do.

SPF (Sender Policy Framework)

SPF is an authentication protocol that allows a domain owner to specify what email servers are allowed to send an email for them. The idea is, if you have control over who is handling your email, then you have control that nobody can pretend to be you.

Think of it as a physical piece of mail. The envelope has the sender’s name and address in the upper left corner. The letter inside has letterhead that has the name and address as well. Technically, those addresses should match, right?

This is why people say that SPF protects domains from impersonation. This is NOT true though.

This is what SPF attempts to do, but it has shortcomings and fails. Here’s why. SPF validates your “envelope from” but not your “header from.” Ok, what does that mean?

Simply put, the “from” address you see in your email client, is not what is validated. So any bad actor can send an email with a visible address of their choice, including yours.

SPF Checks the “Envelope From” field BUT it doesn’t have to match the “Letter From” field

Why wouldn’t SPF check both? Because, by design, it factors that you may have somebody else send the mail for you. Have you ever used a mailing service like MailChimp? They need to be allowed to send on your behalf, even though they are not you.

DKIM (DomainKeys Identified Mail)

DKIM is another email authentication protocol that verifies that an email message was sent by the domain it claims sent it. This conceptually proves that the mail you receive was sent by the person it says it’s from.

Going back to the physical mail analogy, imagine if an old-fashioned wax seal was placed over the closure. That seal validates who the message is from and if intact, then the message inside must be valid.

DKIM Checks the “Signing” field (like a wax seal) BUT it doesn’t have to match the “Letter From” field

So DKIM authenticates the sender, right? Not really. DKIM only validates the integrity of the message body content. It doesn’t validate the sender.

DKIM does NOT mandate that the signing domain match the sender domain. Basically, the name on the wax seal doesn’t need to match the name on the contents of the letter inside.

Just like with SPF, this is by design. You may have a service mail on your behalf (such as MailChimp) and they would send using their wax seal, but the contents would be yours.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

There are a lot of words in this acronym, so let’s walk through the concept.

SPF and DKIM on their own have shortcomings that make them not secure on their own. DMARC essentially makes both SPF and DKIM secure.

In order to make your email secure you need a component controlled only by the domain owner. This is where your domain DNS settings come into play.

Settings for your email security need to be made and managed under your domain’s DNS administration.

This is where you set the SPF to match the “envelope” and “header” domains to be the same.

Likewise, you define the DKIM “signing” and “header” domains to be matching.

Once both of those authentication protocols are set under your domain (which only you have access to) that is what is considered DMARC. That’s why it’s called Domain-based Message Authentication.

What about the RC in DMARC?

The Reporting and Conformance come next. Data needs to be validated, and that is done with reporting.

Reports detail what email sources exist (such as your standard emailing and marketing emailing from MailChimp).

DMARC asks the receiving mail server details of the email, such as the source, if the addresses are aligned, etc.

As the data gets reported, it checks if SPF and DKIM are aligned, meaning they match as described above. The “from domain” envelope and visible header must match in SPF, and the “signing domain” must match the visible header in DKIM.

The best possible scenario is for both SPF and DKIM to align. That isn’t always possible though if you use a third-party mailer, but at least one of the two (SPF or DKIM) needs to align or it will fail the DMARC check.

What happens to an email that fails DMARC?

This is the critical part! Your DMARC record tells the mail server to do one of three things.

  1. Do Nothing (and the mail will be processed as normal)
  2. Quarantine the message
  3. Reject the message

What will happen is that your domain will instruct mail servers to enforce the rule you state (our recommendation is always set to reject the message). Essentially stating, if an email from my domain fails DMARC, then reject the message.

This ensures that if anybody attempts to impersonate your company, then those spoofed emails get rejected and never seen. That keeps your business partners safe.

Likewise, the same security applies internally so that employees aren’t spoofed into thinking they are talking to a co-worker when it is really an imposter.

It also means that your email deliverability will skyrocket because email servers know your domain can be trusted.

You thought you were only looking at email security, now go tell your team in marketing that you just increased their email deliverability and watch everybody smile.

Correctly setting up and implementing DMARC is essential for every business. It is the first step in setting up security for your email and protecting your business against unauthorized use of your domain.

Want to up your game? Our email security service allows you to fine-tune your security settings. We can set rules based on criteria like geolocation, language, domain, and other content policies. On top of that, we use AI to determine threats from social engineered attacks that get missed by standard policy-based protection.

If you have questions regarding any of this or need help implementing DMARC for your business, book a free 15-minute consultation on our live calendar.