How to pitch DMARC to CTOs and CIOs as a business decision?

Key findings

• Strategic importance: DMARC should be positioned as a fundamental business decision, impacting overall organizational risk and compliance, rather than solely an IT or marketing initiative. It’s about protecting the entire email ecosystem.
• Risk mitigation: Implementing DMARC significantly reduces the risk of domain spoofing, phishing, and business email compromise (BEC) attacks, safeguarding the company's brand reputation and preventing potential financial losses or legal liabilities.
• Comprehensive impact: DMARC affects all email communications originating from the domain, including transactional emails, CRM correspondence, invoices, and internal communications, making it a company-wide security measure.
• Compliance driver: For organizations in regulated industries or those dealing with sensitive data, DMARC can be a compulsory compliance requirement, demonstrating due diligence in email security.

Key considerations

• Resource investment: Proper DMARC deployment, especially moving to a strict enforcement policy, requires significant time, resources, and company-wide buy-in, potentially taking 12-18 months for medium-sized organizations.
• Deliverability challenges: Intermediate email systems may modify emails in ways that break authentication, potentially leading to deliverability issues if DMARC is enforced too strictly without proper preparation. Our guide on safely transitioning your DMARC policy can help navigate this.
• Audit and visibility: Implementing DMARC necessitates a thorough audit of all email sending sources, providing invaluable insights into an organization's entire email footprint, which can be both a benefit and a challenge.
• Non-universal fit: While beneficial for many, DMARC is not a 'one-size-fits-all' solution; its suitability depends on an organization's specific risk profile, industry, and existing email infrastructure, as discussed in insights for CIOs on leading information business.

Key opinions

• BIMI as a motivator: Many marketers view BIMI, which allows brand logos to appear next to email senders in the inbox, as a compelling 'carrot' to get executive buy-in for DMARC implementation. This visual appeal is seen as a direct benefit to brand recognition and trust.
• Security vs. marketing: Marketers recognize that DMARC, while primarily a security measure, can indirectly benefit marketing by improving email deliverability and ensuring legitimate emails reach the inbox. Our guide on boosting email deliverability rates provides further context.
• Knowledge gap: Some marketers admit to a limited understanding of DMARC's full scope, often assuming it's a universal necessity without fully grasping the nuances of its deployment or its broader organizational impact.
• Slow BIMI adoption: There's an observation that BIMI adoption seems to be progressing slowly, prompting questions about its widespread acceptance and implementation challenges.

Key considerations

• Marketing alignment: Marketing teams need to understand how DMARC contributes to brand protection and email trustworthiness, which directly impacts their campaigns. This extends beyond merely understanding how DMARC works.
• Cost-benefit analysis: For some organizations, especially those with lower risk of domain spoofing, the perceived costs and complexities of DMARC implementation might outweigh the direct benefits for marketing, requiring a broader business perspective.
• BIMI integration: Leveraging BIMI requires DMARC at an enforcement policy (p=quarantine or p=reject) and can serve as a strong incentive for marketing to advocate for DMARC, as highlighted by discussions on the evolving roles of CIOs and CTOs in driving business success.
• Operational vagueness: The criteria for deciding whether an organization needs DMARC can appear vague from a marketing perspective, emphasizing the need for clearer, operational guidelines.

Key opinions

• Demonstrates commitment: Implementing a proper DMARC policy signals to the world that an organization actively cares about preventing fraudulent emails from being sent using its domain.
• Not a 'no-brainer': DMARC is not a universally applicable solution and requires a careful assessment of an organization's specific risks and benefits. It is a strategic decision that needs C-level discussion.
• Operational challenges: DMARC can complicate email delivery when intermediaries alter emails in ways that break authentication, requiring meticulous planning and potentially leading to deliverability issues in some cases.
• Full business decision: Unlike SPF or DKIM for marketing mail, DMARC affects all types of email (CRM, invoices, internal communication), making its deployment a comprehensive business decision rather than solely an IT or marketing task. This aligns with advice on best practices for email domain authentication.

Key considerations

• Implementation timeline: Even for medium-sized companies, a correct DMARC deployment can take 12 to 18 months, requiring significant resources, money, and time.
• Uncovering sending sources: DMARC forces organizations to audit and identify all email sending sources, which, while beneficial for visibility, can also be a complex and challenging task.
• BIMI as a driver: BIMI (Brand Indicators for Message Identification) was conceived to encourage marketing buy-in for DMARC by offering visible brand benefits, thereby facilitating the necessary security audits.
• Risk register item: DMARC should be assessed on a risk register and, if deemed necessary, implemented as a top-down compliance project. The decision hinges on the potential reputational or legal risks of domain spoofing without DMARC. This is a crucial element for improving overall email deliverability.
• BIMI security concerns: The slow deployment of BIMI is partly due to efforts by ISPs to ensure that bad actors cannot exploit it, as many authentication standards can be trivially implemented by malicious entities.

Key findings

• Standardized mechanism: DMARC (RFC 7489) provides a scalable and standardized way for domain owners to instruct mail receivers on handling unauthenticated emails, serving as a framework for policy enforcement and reporting.
• Builds on existing protocols: DMARC enhances SPF and DKIM by adding domain alignment checks and providing policy options for messages that fail authentication, thus strengthening email security. For more, see our simple guide to DMARC, SPF, and DKIM.
• Policy enforcement options: Domain owners can publish policies like p=none, p=quarantine, or p=reject, instructing receivers on how to handle non-compliant emails. Our best practices for DMARC implementation explores these policies.
• Reporting capabilities: DMARC includes mechanisms for aggregated and forensic reporting, providing domain owners with invaluable data on authentication failures and potential abuse patterns.

Key considerations

• Phased deployment: Best practices recommend a phased approach, starting with a p=none policy to gather data and gradually moving to stricter policies as legitimate sending sources are identified and authenticated.
• Cybersecurity framework: Documentation often places DMARC within a broader cybersecurity context, emphasizing its role in improving email trustworthiness and an organization's overall security posture.
• Data analysis: Leveraging DMARC reports effectively requires careful analysis to understand authentication failure reasons and abuse trends, enabling informed policy adjustments.
• Impact on deliverability: Documentation acknowledges that DMARC, if improperly configured or too strictly enforced, can lead to legitimate emails being rejected or quarantined, necessitating careful validation. This is a crucial consideration outlined in RFC 7489.