Summary
When DMARC 'reject' is set but not enforced on inbound servers, spoofed emails can still bypass security measures. The core issue is that DMARC's effectiveness hinges on the recipient mail server actively checking and enforcing the DMARC policy. Setting up DMARC is only the first step; if the inbound server doesn't respect the policy, spoofed emails can land in inboxes. Experts, marketers, and documentation uniformly suggest that continuous monitoring of DMARC reports is vital to understand how receivers treat DMARC policies, and that implementing DMARC checking on the inbound server is crucial. Furthermore, contacting ISPs and providers to push for DMARC adoption and enforcement is essential. Achieving DMARC compliance isn't a one-time event but an ongoing process requiring monitoring and adjustments. Major email platforms offer configurations for checking DMARC compliance on inbound mail.
Key findings
- Enforcement Dependency: DMARC's success depends entirely on the recipient mail server actively enforcing the DMARC policy, making it a critical point of failure.
- Non-Universal Enforcement: DMARC policies are not universally enforced, leading to potential spoofing vulnerabilities, even with a 'reject' policy in place.
- Monitoring Imperative: Continuous monitoring of DMARC reports is essential to discern how different mail servers handle your email and pinpoint enforcement gaps.
- Proactive Configuration: Major email platforms like Google Workspace and Microsoft 365 offer settings for checking DMARC compliance on inbound emails, which must be actively configured.
- Ongoing Process: DMARC compliance requires continuous monitoring and adjustments to maintain optimal protection against spoofing attempts.
Key considerations
- Enable Inbound Checks: Implement DMARC checking on your own inbound mail server to protect against spoofed emails targeting your domain.
- Monitor DMARC Reports: Regularly analyze DMARC reports to gain insights into policy adherence, identify potential issues, and refine DMARC implementation.
- Advocate for Enforcement: Contact ISPs and email providers to encourage DMARC adoption and enforcement, contributing to a more secure email ecosystem.
- Stay Vigilant: Recognize that DMARC compliance is not a one-time task; maintain vigilance and make continuous improvements to your email security posture.
- Consider Alternative Solutions: Explore alternative email filtering solutions that enforce DMARC for inbound emails, providing an additional layer of protection when recipient servers fail to enforce policies.
What email marketers say
9 marketer opinions
DMARC's effectiveness in preventing email spoofing hinges on the recipient mail server's enforcement of the DMARC policy. While setting a DMARC record to 'reject' instructs receiving servers on how to handle authentication failures, many servers do not consistently enforce this policy. This can lead to spoofed emails bypassing intended protections. Experts and marketers suggest strategies like monitoring DMARC reports, contacting non-enforcing providers, implementing stronger email security solutions, and ensuring proper SPF and DKIM setup to mitigate the risks.
Key opinions
- Enforcement Issue: DMARC relies on the recipient mail server to respect and enforce the specified policies; a DMARC record alone isn't enough.
- Non-Universal: DMARC policies are not universally enforced, leading to potential spoofing bypasses.
- Monitoring Necessity: Monitoring DMARC reports is essential to understanding how different mail servers handle your email and identify enforcement issues.
- Limited Scope: DMARC is not a comprehensive spam filtering solution; other security tools are necessary for broader protection.
- Provider Dependant: Effectiveness of a DMARC record is limited to how well each email provider respects and enforces the set polices. If an email provider isn't enforcing then it won't work as expected
Key considerations
- Proactive Measures: Consider implementing stronger email security solutions and contacting providers not enforcing DMARC.
- Basic Setup: Ensure SPF and DKIM are correctly implemented to maximize the chances of authentication passing and DMARC working as intended.
- Internal Impact: If spoofing mainly affects internal emails, focus on getting your own email provider to enforce DMARC.
- DMARC reports: Continuously monitoring DMARC reports will give you an indication of who is ignoring the requests of the DMARC record.
Marketer view
Email marketer from Proofpoint shares that DMARC enforcement on the receiving end is crucial. A DMARC record only instructs receiving mail servers on how to handle mail failing authentication checks. If the inbound server ignores the DMARC policy, spoofing can still occur. Consider using email security solutions that enforce DMARC for inbound emails.
26 Nov 2022 - Proofpoint
Marketer view
Email marketer from Reddit mentions that it is a common misconception that setting DMARC is enough. Setting up the record in DNS is not enough - you have to also ensure that the receiving end actually performs the checks. Without that you will still have spoofing.
24 Aug 2024 - Reddit
What the experts say
5 expert opinions
When DMARC 'reject' is set but not enforced on inbound servers, spoofed emails can still reach inboxes. This is because DMARC policies are requests, not requirements, and their effectiveness hinges on recipient mail server enforcement. Experts recommend implementing DMARC checking on your inbound server, continuously monitoring DMARC reports to track policy adherence, and contacting ISPs or providers to advocate for DMARC adoption. Achieving DMARC compliance is an ongoing process requiring monitoring and adjustment.
Key opinions
- DMARC Enforcement: DMARC's effectiveness depends on recipient mail servers actively enforcing the policy.
- DMARC as a Request: Publishing a DMARC policy is a request, not a guarantee, that it will be followed.
- Monitoring Importance: Continuous monitoring of DMARC reports is essential for understanding how recipients are treating your policies.
- Continual task: Even with a strict reject policy some providers may not comply so it is a task that needs continual monitoring and assessment.
Key considerations
- Inbound DMARC Checking: Implement DMARC checking on your own inbound mail server.
- Continuous Monitoring: Regularly analyze DMARC reports to understand policy adherence and identify potential issues.
- Advocate for DMARC: Contact ISPs and email providers to encourage DMARC adoption and enforcement.
- Ongoing Process: Recognize that DMARC compliance is not a one-time task and requires ongoing monitoring and adjustments.
Expert view
Expert from Word to the Wise explains that proper monitoring of DMARC reports is vital to understanding how recipients are treating your DMARC policies. If you are not receiving or analyzing these reports, you will not know if your policy is being followed or if spoofing attempts are occurring. Use DMARC monitoring tools to help read and interpret DMARC aggregate reports.
16 Nov 2022 - Word to the Wise
Expert view
Expert from Email Geeks explains the client is not enforcing DMARC on the inbound mail server for their domain, meaning the incoming mailserver for nesformation.fr is not checking for DMARC. To fix this, implement DMARC checking, likely through cpanel or a similar interface at OVH.
30 Apr 2022 - Email Geeks
What the documentation says
5 technical articles
When DMARC is set to 'reject' but not enforced on the inbound mail server, spoofed emails can bypass security measures. Documentation highlights that DMARC relies on receiving mail servers to actively check and enforce DMARC policies. Without this enforcement, DMARC is ineffective, and spoofing can occur. Platforms like Google Workspace and Microsoft 365 can be configured to check for DMARC compliance. Key to successful implementation is ensuring receivers are configured correctly and provide feedback reports.
Key findings
- Receiver Responsibility: DMARC's effectiveness depends on receiving mail servers actively checking and enforcing DMARC policies.
- Lack of Enforcement: If inbound servers don't check DMARC, spoofed emails bypass security measures.
- Configuration Options: Platforms like Google Workspace and Microsoft 365 offer configurations to check for DMARC compliance.
- Feedback Reports: Feedback reports improve the effectiveness of DMARC by allowing senders to make adjustments based on how receivers are handling email.
Key considerations
- Enforce on Receiving End: Ensure inbound mail servers are configured to check and enforce DMARC policies.
- Configure Platforms: If using platforms like Google Workspace or Microsoft 365, configure settings to enforce DMARC policies of sending domains.
- Utilize Feedback: Actively review feedback reports from receiving servers to refine DMARC implementation.
Technical article
Documentation from Cloudflare advises that DMARC is effective in protecting domains from email spoofing. However it relies on the destination email provider to actually check and respect the DMARC record settings. In the event that a destination server does not respect or check a DMARC record, there will be no protection against spoofing.
3 Jan 2023 - Cloudflare
Technical article
Documentation from RFC details DMARC, what it does, and it also highlights that receivers need to be configured correctly in order to respect the policies set by the owner of the domain. The receivers should also provide feedback in the form of reports to the senders so that they can improve.
11 Feb 2023 - RFC
How can a phishing email pass SPF and DKIM authentication checks?
How can I implement a DMARC reject policy for non-existent domains to prevent spam?
How can I prevent brand and sender profile impersonation in emails and what actions can I take?
How can I protect my domain from being spoofed and blacklisted?
How can I use DMARC to prevent spammers from using my domain?
How can spammers send emails from real addresses, and is this a DMARC configuration issue?
How do DMARC quarantine and reject policies affect sender reputation and email delivery?
How should I configure DMARC for multiple domains and when should I implement a reject policy?
