Feb 18

What to do About Non-DMARC Capable Email Sources

Non DMARC Capable Sources

When deploying DMARC, you may occasionally encounter email vendors that do not support DMARC authentication on your outbound email.  While most email service providers have implemented and adopted DMARC as a best practice, some vendors have not caught up.

To help users deal with Non-DMARC capable sources, dmarcian classifies these email streams as "Non-Capable" (or "Non-Compliant"). This is done for two reasons:

  1. To save our users time trying to get a source of email to send DMARC compliant email when it is unable to.
  2. To raise awareness of sources that haven't yet figured out how to send DMARC compliant email.

What To do about Non DMARC Capable Sources

Verify the Source is Not DMARC Capable.

When you are aware that you have legitimate email sending from a Non compliant source, you have a few options. First, ensure that the source of email is indeed still not capable of sending DMARC compliant email. As vendors are moving to adopt DMARC as a standard, many eventually become DMARC capable. Verify by visiting your vendors website, or contacting support.

Send Traffic Through a DMARC Capable Source.

The best option when dealing with a non DMARC Capable source is to try and send this traffic to a source that is DMARC capable. Although this not always may be the easiest option, it will ensure that all of your domains are authenticated and protected by your DMARC policy.

Send Non-Compliant Email Through a Subdomain.

If you are unable to relay your traffic through a DMARC Capable source, another option is to create a subdomain specifically for these email flows. Using a specific subdomain with a p=none policy will allow you to monitor non-compliant email flows and allow your primary domain to publish a p=reject policy without blocking non-compliant emails. Be aware, because the subdomain publishes a p=none policy, email coming from this domain cannot be protected by DMARC.

To learn more about how dmarcian classifies non-compliant and other sources, visit How does dmarcian classify sources.


Mar 17

FTC Study Released Regarding DMARC

Press release from Federal Trade Commission, March 3rd 2017

"In a study released today, the Federal Trade Commission’s Office of Technology Research and Investigation (OTech) reports that most major online businesses are using proper email authentication technology to prevent phishing emails, but few of these businesses are taking full advantage of the latest technologies to combat phishing.

Phishing is a type of online scam that targets consumers by sending them an e-mail that appears to be from a well-known source such as an internet service provider, a bank, or a mortgage company. It asks the consumer to provide personal identifying information, and then the scammer uses the information to open new accounts or invade the consumer’s existing accounts.

Specifically, the OTech study found that 86 percent of major online businesses it studied are using Sender Policy Framework (SPF), an email authentication technology that enables Internet Service Providers to determine whether messages that claim to be from the businesses’ email addresses actually come from the businesses. Fewer than 10 percent of the businesses, however, have implemented a supplemental technology known as Domain Message Authentication Reporting & Conformance (DMARC) in a manner which would allow the businesses to receive intelligence on potential spoofing attempts and to instruct ISPs to automatically reject any unauthenticated messages that claimed to be from the businesses’ email addresses.  By using DMARC to instruct receiving ISPs to reject unauthenticated messages, online businesses could further combat phishing by keeping these scam emails from showing up in consumers’ inboxes.

For a full analysis of the staff’s findings, and to learn about its methodology, read the entire Staff Perspective or watch this video."

Courtesy of the Federal Trade Commission 

Feb 17

Expansion of DMARC is Now Critical

DMARC reaches critical need
Press Release Reposted with Permission from The Global Cyber Alliance

Expansion of DMARC Critical to Reducing Spread of Malicious Emails

Global Cyber Alliance Calls on Leading Cyber Companies 
To Improve Email Protections

SAN FRANCISCO, February 14, 2017 – There is a fix that can prevent a great amount of email-born attacks on consumers and businesses. Unfortunately, the vast majority of public and private organizations globally, including leading cyber security companies, have not deployed DMARC (Domain-based Message Authentication, Reporting & Conformance) to prevent spammers and phishers from using an organization’s name to conduct cyber attacks, according to new research from the Global Cyber Alliance (GCA).

DMARC provides insight into any attempts to spam, phish or spear-phish using an organization’s brand or name. DMARC is supported by 85 percent of consumer email inboxes in the United States (including Gmail, Yahoo, Microsoft, etc.) and more than 2.5 billion email inboxes worldwide. However, DMARC adoption rates among enterprises and government remains low.

The UK Government’s guidance for government agencies directs them to implement DMARC but as of December 2016 only five percent of UK public sector domains had done so. A mere 16 percent of the healthcare sector has adopted DMARC.

The latest research from GCA, an international cross-sector organization dedicated to confronting systemic cyber risk, finds that adoption remains low in the cyber security industry as well.

Only 15 percent of the 587 email domains (that were scanned) for companies exhibiting at the RSA Conference -- one of the world’s largest gatherings of cyber security experts -- use DMARC. Of the 90 RSA exhibiting organizations that do use DMARC, more than 66 percent use the DMARC policy of “none,” which only monitors for email domains, greatly reducing the effectiveness of DMARC.

It is time for the cyber security industry to lead the charge and push for DMARC use across the globe. GCA strongly advocates that organizations implement DMARC and has developed a free DMARC Setup Guide to make DMARC implementation easier (https://dmarc.globalcyberalliance.org/).

The value of correctly implementing DMARC is clear as studiesiii have shown that organizations that use DMARC correctly receive just 23 percent of the email threats that those who do not use DMARC.

“As world leaders in cyber security, we can do better. DMARC protects brands and preserves consumer confidence.  While no security effort is cost-free, clear guidance and tools, such as the GCA DMARC Setup Guide, make DMARC implementation practical, and the benefits are considerable. DMARC is one of the cyber security protocols that can broadly reduce risk, and the more it is implemented, the more protection if offers for everyone,” said Philip Reitinger, President and CEO of GCA. “I’m placing a stake in the ground and calling on the cyber security industry to lead the adoption of DMARC, with a goal that 50 percent of the companies that exhibit at the 2018 RSA Conference implement DMARC prior to the conference, and that 90 percent implement prior to the 2019 RSA Conference. Working together the cyber security industry can be a role model and make a difference.”

About The Global Cyber Alliance

The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to confronting cyber risk and improving our connected world. It is a catalyst to bring communities of interest and affiliations together in an environment that sparks innovation with concrete, measureable achievements. While most efforts at addressing cyber risk have been industry, sector, or geographically specific, GCA partners across borders and sectors. GCA’s mantra “Do Something. Measure It.” is a direct reflection of its mission to eradicate systemic cyber risks.

GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security. Learn more at www.globalcyberalliance.org.


[i] https://www.gov.uk/guidance/set-up-government-email-services-securely

[ii] https://www.ncsc.gov.uk/blog-post/making-email-mean-something-again

[iii] https://www.helpnetsecurity.com/2017/02/01/phishing-display-name-spoofs/


Feb 17

Sub-domain Abuse Goes Mainstream


Last week, LinkedIn was the target of a massive, global cyber attack.

The attack came in the form of phishing that looks almost exactly like real LinkedIn address confirmation emails. Only two things differed: Read the rest of this entry »

Jan 17

Subdomain Management Changes

As many of you may have noticed, there have recently been some changes to the UI regarding subdomains. After talking with people about how subdomains were being used and abused across the internet, we decided to spend some time rethinking how dmarcian process, sorts and displays subdomains. These new changes allow our system to handle large quantities of subdomains more efficiently and accurately.

Read the rest of this entry »

Aug 16

Too many DNS lookups?

People sometimes run into the "too many DNS lookups" error when rolling out SPF (Sender Policy Framework). It doesn't help that there is a lot of bad guidance on the Internet. This article describes how to fix this issue. Read the rest of this entry »

Jul 16

Published a DMARC record but haven't received any XML Reports?

A common problem many people face when implementing DMARC for the first time is that they are not receiving aggregate XML reports (reports generated for delivery to the rua= tag) in their dmarcian account. These XML reports are the driving force of DMARC. Without them, it's very difficult to get an accurate picture of your domain's usage across the internet.

If you've created a dmarcian account, have published records but have not received data, don't fret! It is typically caused by one (or more) of these three things: Read the rest of this entry »

Jul 16

dmarcian tools are under constant development to make DMARC deployment faster and easier for everyone. This article describes how to best use the tools today. Read the rest of this entry »

Jun 16

What is "External Destination Verification"?

A domain's DMARC record can tell the world to send DMARC reports to a different domain. For example, the domain example.org might have a DMARC record of:

v=DMARC1; p=none; rua=mailto:dmarc_reports@sample.net

This DMARC record tells people to send reports regarding example.org to the email address of "dmarc_reports@sample.net". Before reports are sent, sample.net must tell the world that it is OK to send example.org's reports to sample.net. Otherwise, reports will not be sent to sample.net.

Allowing "external" domains to accept DMARC reports is called "External Domain Verification".

Read the rest of this entry »

May 16

How to publish a DMARC record

Publishing a DMARC record is the first step in deploying DMARC.

To create a DMARC record, use the dmarcian DMARC Wizard.  When you have the text of your DMARC record at your fingertips, follow these steps: Read the rest of this entry »