Connect with us


Why DMARC Is An Essential Protocol To Stop Phishing

Last updated by



Did you know cyber-attacks and phishing actually increased during the height of the pandemic?

According to Forbes, Google recorded massive numbers of phishing websites during 2020.

Remote working has not been lost on cybercriminals. They have seen it as an opportunity to access business networks and systems via workers’ devices and vulnerabilities in remote working connections.

Plus, with practice and smarts like using social engineering to trick us, cyber-attacks like email phishing are more challenging to detect – they look legitimate.

So now is the time to educate yourself on email security.

What’s in the hackers’ favour is we can’t eliminate the human factor. Many of us will, at some stage, open a phishing email, click on a malicious link, or download what may be ransomware.

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance, and it’s one of the protocols created to protect your email domain. However, DMARC is not the only protection you can have, and to have it, you need to implement at least one more, i.e., SPF or DKIM (but better yet – both).


The Sender Policy Framework is the first layer of protection that verifies the email sent from your domain was sent by you or other parties that are allowed to send messages on your behalf.

SPF has a couple of significant downsides. For example, if the email is being forwarded, it will no longer pass SPF authentication.


DomainKeys Identified Mail – is another email-validating technique that uses an electronic signature to ensure the message was not altered from sender to recipient.

Like SPF and DKIM, DMARC is a simple TXT record that must be added to your DNS record.

DMARC’s 3 Policies

DMARC has three policies: none, quarantine, and reject.


The ‘none’ policy means nothing will happen to the email whether it passes or fails authentication. Basically, it is as if there was no DMARC implemented at all.

Why do you need a ‘none’ policy, then? First, it is beneficial in the early stages of DMARC implementation: it gives you visibility of email traffic. Second, it lets you see how many of your emails (and which ones exactly) pass or fail authentication.


The ‘quarantine’ policy brings you to the next level. At this point, a message that fails authentication will be marked as spam.


The ‘reject’ policy is your ultimate protection. With it, emails that fail authentication will be blocked entirely and will not reach their recipient. But getting to the ‘reject’ policy will take time and effort.

What Happens During Authentication

Here is a simplified version of DMARC authentication.

  • The mail server runs SPF and DKIM authentication.
  • If these checks are correctly completed, the server applies the stated DMARC policy (none, quarantine, or reject)
  • DMARC sends a report with the conclusion on actions towards every email sent from the particular domain

The DMARC Report

DMARC report is an essential topic for a different article, but you should know (and what Google advises) to find a proper third-party tool to work with DMARC reports.

Why? The thing is, DMARC reports initially were not intended to be readable for people, and they come in XML format.

Another obstacle is the number of reports: DMARC sends one message to one server. Depending on your email reach, you can start receiving hundreds or thousands of them.

DMARC Analyzer

So, what does a third-party DMARC analyzer do? It gathers, stores, and analyzes your DMARC reports, providing a nicely structured, comprehensible view of all your domain information.

DMARC: Security and Deliverability

Even though there is an apparent reason to implement DMARC to stay on the safe side, due to many factors, companies hesitate to start using it or switch from the ‘none’ policy to a more secure ‘reject’ if they have the record.

So, what is happening that should help more companies make the right decision? Well, there’s the challenge of deliverability and security.

No auth, no entry.

If your email doesn’t authenticate, it won’t ‘enter,’ i.e., the email provider will reject it.

When you implement DMARC, you command anyone who receives an email from you that doesn’t authenticate to reject it.

With ‘no auth, no entry,’ it’s the other way around – the email provider says the email will be rejected if it doesn’t authenticate.

Of course, there is no such thing as a set date when ‘no auth, no entry’ will be massively adopted or when any email provider alliance agrees to implement it. However, email providers must deliver a better service to their users and ensure spam does not get through their filtering systems.

Therefore, as a sender, you must manage your DMARC authentication so your email deliverability doesn’t gradually decrease.


Brand Indicators for Message Identification are your way to stand out in the recipient’s inbox with your logo shown in your email. Providing visibility, brand awareness, and trust with each email requires a DMARC policy on ‘quarantine’ or ‘reject.’

BIMI has not yet been massively adopted. However, as of October 2020, it is supported by Verizon’s AOL and Netscape, Yahoo!.

Google launched its BIMI pilot on July 21st, 2020, and FastMail’s pilot is coming soon (according to BIMI Group). So, even though it seems like there is plenty of time, it is better to stay ahead of the curve (and your competitors).


Finally, there is no avoiding the topic of the 2020 pandemic and its impact on cyber-security.

In April 2020 alone, Google blocked a shocking 18 million daily coronavirus-related malware and phishing emails. Such a statistic leaves no doubt that every company, large or small, needs all the protection it can get.

In 2023, there will be threats due to the Ukraine War. Google reports Belarusian threat actor PUSHCHA is targeting webmail providers, though primarily regional.

Final Thoughts

Even though DMARC may seem complicated and challenging to implement initially, it is worth every minute you spend on it. Otherwise, you risk financial losses and domain reputation damage due to cyber-attacks.

Plus, I witnessed a decrease in email deliverability rates in the long run.

As Benjamin Franklin said: Don’t put off till tomorrow what you can do today. Now is the perfect time to start. Tomorrow may be too late.

Tip: If you don’t know whether you have a DMARC record implemented – use a free domain checker.