Tech Myths about SPF, DKIM, DMARC
About 97 percent of users fail to identify a phishing message because these messages are appropriately concealment to look sophisticated.
Now companies are turning to SPF, DKIM and DMARC records. DMARC (Domain-based Message Authentication Reporting and Conformance) standard helps in doing this. However, there are many misconceptions about the implementation of DMARC which our implementation team keeps on listening.
Tech Myth #1: Phishing and spoofing is a security responsibility, not a marketing one.
Phishing is a companywide responsibility with equal importance given to the marketing and security teams. Marketers spend a lot of time and effort on their email marketing program including things like brand awareness and email engagement and it would be a travesty to have that destroyed because of a phishing attack. A partnership with the security team is essential since marketers are often on the front lines to spot phishing issues and they also have the most to lose with a phishing attack. I would even go a step further and say every company needs a companywide policy. More eyes mean better protection and reduced costs associated with a potentially devastating phishing attack and more importantly protecting the email channel as a whole.
Tech myth #2: “I publish an SPF record so I’m fine” or “I sign all my emails with DKIM so I’m protected” or “I use both SPF and DKIM so I have nothing to worry about.”
Unfortunately, it is a myth that you are 100% protected by signing with SPF, DKIM or both. First off mailbox providers have two major challenges with enforcing either SPF or DKIM. lack of widespread adoption by email senders and marketers and lack of a standard policy across all of the mailbox providers around the world on how to handle authentication failures. SPF works by publishing a record authorizing the IP addresses allowed to send on behalf of a domain but does not survive email forwarding can be easily duped and is not an end-to-end authentication solution. DKIM attempted to resolve these shortcomings by cryptographically signing an email which makes DKIM survive forwarding difficult to forge and more expensive due to the computational overhead. On the other hand, the complexity configuration errors receivers modifying the body and lack of reporting made mass adoption difficult.
SPF and DKIM did not turn out to be the silver bullet for phishing. Lack of standard use and enforcement by ISPs and the high risk of blocking legitimate email stalled progress. DMARC resolves most of these issues by not only using both SPF and DKIM but by providing reports on authentication failures and giving policy control to the sender on how to handle failures by doing nothing quarantining the failure or blocking it. As a result the SPF, DKIM, and DMARC trinity greatly reduces the false positive issue. In short, you need all three not just one to protect yourself.
Tech Myth #3: I use SPF DKIM and DMARC, so I’m fully protected and all of my emails should be reaching the inbox now.
I know I just said that you need all three to protect yourself but even that doesn’t go far enough. It is crucial to note using DMARC with DKIM and SPF does not:
1. Provide authentication-level analysis and intelligence
2. Determine whether or not a sender is legitimate or bad and therefore provide inbox placement benefits
While it is notable that DMARC provides reporting you still need to extract the intelligence and useful insights from the data. You need this intelligence to identify trends phishing outbreaks authentication failure reasons and authentication failure resolutions. Otherwise, DMARC will not be that useful for you. This is why we created Email Brand Monitor. Marketers do not have the time to extract and analyze this data on a daily basis. Email Brand Monitor provides complete visibility into all mail streams including email sent on behalf of you by providing real-time access to authentication failures and phishing attacks. And in the likely scenario of a phishing attack, you cannot afford the time to investigate. You need to act now before the damage from a phishing attack is done. Email Brand Monitor not solves this through real-time monitoring and reporting, but it also allows marketing and security teams to block phishing attacks proactively or on the fly and allows you to set policy by ISP something not possible with DMARC alone.
And that myth about better inbox placement rates through authentication? While authentication is a best practice it does not provide better inbox placement benefits nor should it. Authentication is not an alternative to following best practices and having a good sending reputation.