Limitations of DMARC For Fortifying Email Phishing in 2024!
DMARC has been saving brands from being victims of phishing and spoofing attacks, and lately, its adoption has been more embraced than ever. After the email authentication requirements announced by Google and Yahoo, all major email service providers are also encouraging the deployment of DMARC.
DMARC is a complicated protocol that works exactly the way you put effort into its configuration. If you didn’t learn much about it and went ahead with just the basics, then your email security standards would also be basic.
On the other hand, if you undergo training or hire an expert, you will enjoy the maximum benefits and top-notch email security. Its reporting feature gives insights into your email activities and helps you understand if an unauthorized person misuses your domain. This ensures you don’t shoot aimlessly in the dark and instead move ahead strategically and logically.
However, you should be aware of some shortcomings of DMARC so that you know exactly how to handle them without compromising email security. Let’s see what these are and if you can do anything about them.
Limitation 1: DMARC is Only As Effective as its Implementation
DMARC works only as per what’s been mentioned in your DMARC record. So, you need to configure your policies appropriately for DMARC to function efficiently against phishing emails. Misconfigurations create room for threat actors to send illegitimate emails posing as one of your brand representatives.
Limitation 2: DMARC Doesn’t Protect Against Forged Email Addresses
It is not a new tactic for cybercriminals to buy and use domain names similar to the official domain names of companies. They buy and use typosquatted domain names that go unnoticed by recipients as there are only minor variations, and that, too, are smartly done. For example, buying amaz0n.com to resemble amazon.com OR buying arifrance.com to resemble airfrance.com.
You can deploy DMARC only for the domains you own and handle. There is no way DMARC can protect your brand from phishing emails sent in your name from typosquatted domains. Recipients are highly likely to take the requested action because, according to them, the emails have come from reputed sources.
Limitation 3: DMARC Requires Alignment
For DMARC to show ‘pass’ results for legitimate emails sent from your domain, the domain in the ‘From’ header has to align with the ones used in SPF and DKIM. This stands as a problem if third parties are involved in sending emails on your behalf.
Hence, it’s required to regularly audit and update configurations in SPF and DKIM records; otherwise, there will be discrepancies between yours and the third-party senders’ domains.
Limitation 4: DMARC Has Email Forwarding Issues
Email forwarding is an issue for DMARC mainly because of how SPF works. When an email is forwarded, the forwarder’s IP address, not the original sender’s IP address, appears in the email header. Since the forwarder’s IP address is usually not in the original sender’s SPF record, the SPF check fails.
Not only this, but while DKIM doesn’t break in most cases when forwarding emails, the use of some forwarding mechanisms or modifications does break it.
Both of these situations stand as a challenge for DMARC. Using ARC or Authenticated Received Chain addresses this issue to a great extent.
Limitation 5: DMARC Doesn’t Give Immediate Results
DMARC is a slow process; you start with the monitoring policy (or none policy) and gradually move towards stricter policies, that are ‘quarantine’ or ‘reject.’ Depending upon the complexity of your email infrastructure, the nature of operations, and the capacity to endure false positives without hampering operations, you shift from p=none to p=quarantine to p=reject.
In fact, many domain owners never reach the stage of maximum protection, that is, p=reject, as it comes with repercussions.
Limitation 6: DMARC Has Compatability Issues
Businesses come across several compatibility issues with DMARC. Here are the common ones-
Legacy Email Systems
Older email systems and email infrastructures sometimes don’t support SPF, DKIM, and DMARC, leaving email communications vulnerable to exploits.
Email Clients
Some email clients don’t display the results of DMARC checks to end-users, not informing them of potentially suspicious messages. At times, email clients handle DMARC policies inconsistently, leading to discrepancies in email delivery and user experience.
Shared Hosting Environments
In shared hosting environments, if one domain on a shared IP address engages in phishing or other malicious activities, it negatively impacts the sender’s reputation of all the other domains. Another problem is that the changes to DNS records in a shared hosting environment may take longer to propagate, delaying the implementation of DMARC policies and adjustments based on DMARC reports.
Limitation 7: Internationalized Domain Names or IDNs Create Problems for DMARC
IDNs are typically encoded in Punycode to be compatible with the DNS system, which traditionally supports only ASCII characters. For example, “münchen.de” would be encoded as “xn--mnchen-3ya.de”.
Email authentication mechanisms, including DMARC, need to process these encoded domain names correctly. Misinterpretations or improper handling of Punycode can lead to authentication failures.
Reporting mechanisms in DMARC may also face issues if they have to report on emails involving IDNs, as the reporting tools must correctly interpret and display non-ASCII characters.
So, you need to ensure that all IDNs are encoded appropriately using Punycode in DNS records and email authentication configurations. By understanding and addressing these compatibility issues, organizations can ensure that their email authentication mechanisms function correctly, even when using internationalized domain names.
Limitation 8: DMARC is Resource Intensive
You need qualified and technically sound people in your team to manage DMARC. There should be coordination between IT, security, and email marketing teams. What’s challenging is maintaining an understanding among team members of their roles and responsibilities.
Since DMARC has significant benefits, domain owners should not overlook its deployment. Instead, they should be prepared to invest in onboarding the right team or assigning responsibility for deploying, maintaining, and improving DMARC to an agency like DuoCircle. We work to protect email against phishing, spam, and malware and are trusted by more than 25,000 businesses worldwide. Contact us today!