4 Key Limitations of DMARC for Brand Protection

4 Key Limitations of DMARC for Brand Protection

4 Key Limitations of DMARC for Brand Protection

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a security protocol that protects brands from email-based impersonation, phishing, and other malicious attacks. The protocol helps ensure that only emails from authorized sources reach their intended recipients and helps identify and block malicious emails that attempt to impersonate the brand. As with all security protocols, DMARC has its limitations. While DMARC is an effective brand protection tool, there are certain scenarios where it falls short.

In this blog post, we will discuss some of the limitations of DMARC for brand protection.

  • DMARC is only as effective as its implementation: DMARC is only as effective as its implementation. If a company does not properly configure its DMARC settings, it will not effectively protect its brand. This is especially true for domains that use third-party services, such as email marketing campaigns. If the third party does not configure the DMARC settings correctly, the company’s brand will not be protected.
  • DMARC does not protect against spoofing: DMARC does not protect against spoofing, which is when an email is sent from an address that appears to be from a legitimate sender, but is actually sent from a different address or typo domain, for example if we have DMARC enabled for chase.com no matter how bad actor goes and registers chase.tk (different TLD) or an IDN chase.com, DMARC does not protect against such domains. Spoofing can be used to send spam or phishing emails, which can damage a brand’s reputation. Check out our blog post on Typosquat monitoring tools here.
  • DMARC cannot detect all malicious activity: DMARC is not a silver bullet and cannot detect all malicious activity. For example, DMARC cannot detect malicious activity from malicious domains that are not associated with a company’s brand. This means that malicious actors can still target a company’s customers and employees, even if DMARC is in place.
  • DMARC does not protect against non-email-based attacks: DMARC is not a magic bullet and does not protect a company from non-email-based attacks, such as social media fraud. An executive impersonated on social media can post any type of phishing link. DMARC also does not protect against SMS phishing. This type of attack can be used to gain access to a company’s systems or data and can have serious consequences for a company’s brand.

The difficulty of managing DMARC

The difficulty of managing DMARC depends on a number of factors, including the complexity of your organization’s email infrastructure and the level of expertise of the person responsible for managing DMARC.

To implement DMARC, you must publish a DMARC policy in the DNS records for your domain. This policy specifies the mechanisms used to authenticate email messages sent from your domain and what to do if the message fails authentication. Setting up a DMARC policy usually involves the following steps:

  1. Identify the email authentication mechanisms used by your organization: This may include Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), or both.
  2. Determine the desired level of enforcement for your DMARC policy: You can choose to quarantine emails that fail DMARC evaluation, reject them outright, or simply log the error and take no action.
  3. Publish your DMARC policy to your domain’s DNS records: This involves creating a TXT record that includes your DMARC policy and adding it to your domain’s DNS records.
  4. Monitor DMARC Reports: DMARC includes a reporting mechanism that allows senders to receive reports from recipient mail servers about the handling of email messages claiming to be from their domain. These reports can be used to monitor the effectiveness of the DMARC policy and identify any issues that need to be addressed.

Overall, managing DMARC may require some technical expertise and may require a significant time investment, depending on the complexity of your organization’s email infrastructure.

See also  10 ways doorbell cameras pose a threat to privacy and security

Real-World DMARC Errors

According to a report published by Valimail in 2020, the overall DMARC adoption rate among domains worldwide was 60.3%, and the percentage of email traffic covered by DMARC policies was 63.5%. This indicates that a significant portion of email traffic is protected by DMARC. However, it is important to note that DMARC is not a perfect solution and it is still possible for malicious actors to bypass DMARC checks and send fake emails.

Here are some real-world examples of DMARC errors:

  1. In 2017, the personal email accounts of several high-profile individuals, including former US President Barack Obama and former US Secretary of State Colin Powell, were hacked and used to send phishing emails to other individuals. The emails appeared to be from the hacked individuals, but were actually sent by malicious actors using domains that had a DMARC policy set to “none”, allowing them to bypass DMARC checks.
  2. In 2018, the hotel chain Marriott suffered a data breach in which the personal information of up to 500 million guests was exposed. The attackers used a technique called “spoofing” to send phishing emails to Marriott employees that appeared to be from trusted sources, such as the company’s CEO. The emails were sent using domains that were legitimate subdomains of Marriott’s domain, allowing them to bypass DMARC checks.
  3. In 2019, the Twitter accounts of several high-profile figures, including former US President Barack Obama, former US Vice President Joe Biden, and tech mogul Elon Musk, were hacked and used to send fake tweets offering cryptocurrency giveaways. The tweets appeared to be from the hacked individuals, but were actually sent by malicious actors using domains not covered by DMARC guidelines, allowing them to bypass DMARC checks.
See also  Elon Musk on reports of crypto exchange hacking

The need for digital risk protection

In conclusion, DMARC is an effective tool for brand protection, but it is not a silver bullet. Companies should be aware of their limitations and take additional steps to protect their brand from malicious activity. This includes implementing additional security solutions such as a fully automated digital risk protection solution that cannot detect and monitor impersonation, but performs remediation by removing websites, fake executive profiles, fake mobile apps and other types of fraud on the web, social media, mobile app stores and the dark web.

A digital risk protection solution can help you stay ahead of new threats. As technology evolves and new threats emerge, you need to be able to respond quickly and effectively. With a digital risk protection solution, you can monitor your digital assets for any changes or anomalies that may indicate a security risk. This can help you stay one step ahead of the game and ensure your assets stay safe. Another benefit of a digital risk protection solution is that it can help you reduce the cost of responding to threats. By monitoring your digital assets in real time, you can quickly identify potential threats and take action to mitigate them. This can help you save money by avoiding hiring external consultants or investing in expensive security solutions.

Get a free, fully customizable demo from Bolster.

*** This is a Security Bloggers Network syndicated blog from Bolster Blog written by Bolster Research Labs. Read the original post at:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *