Why DMARC? Protecting Customers with Effective Implementation and Operation of Email Security

Email remains an essential communication tool in modern business. However, the damage caused by increasingly sophisticated email based attacks continues to grow. To protect organizations and their customers from threats such as phishing and email spoofing, strengthening email security has become an urgent priority.
This article explains the importance of implementing DMARC (Domain based Message Authentication, Reporting, and Conformance) - a critical email authentication framework that prevents domain spoofing. It also covers key considerations before adopting DMARC, a phased approach for successful implementation, and best practices for ongoing operation.
If you are concerned about email security or exploring the introduction of DMARC, this article is a must read.

Index

Basics of DMARC and the Need for Implementation
Phased Implementation of DMARC Policy and Operational Optimization Strategy
Summary

1. Basics of DMARC

As phishing attacks and email spoofing continue to grow more sophisticated, DMARC plays an essential role in strengthening email security. DMARC works in conjunction with two existing authentication technologies - SPF and DKIM - to verify whether an email truly originates from the domain it claims to represent.

SPF (Sender Policy Framework)
Verifies whether the sender's IP address is authorized to send email on behalf of the domain by checking the SPF record stored in DNS.
DKIM (DomainKeys Identified Mail)
Uses cryptographic signatures to confirm that the email has not been tampered with during transmission. The recipient validates the signature using the sender's public key published in DNS.

DMARC integrates the authentication results of SPF and DKIM and checks whether they are aligned with the domain shown in the "From" header. If alignment fails, the receiving mail server applies the DMARC policy - none, quarantine, or reject - to decide whether to deliver, quarantine, or block the email.
By enforcing this alignment, DMARC effectively blocks spoofed emails, reduces the risk of phishing attacks, and enhances the credibility of legitimate senders.

2. DMARC Implementation and Gradual Transition of DMARC Policy

According to Proofpoint Japan, approximately 80% of Nikkei 225 companies have adopted DMARC. However, more than half have set their policy to "none", which only monitors authentication results without restricting email delivery. Under this configuration, suspicious emails can still reach recipients, leaving organizations vulnerable to phishing attacks.
Many organizations hesitate to move to stricter policies such as "quarantine" or "reject" due to two common concerns:

Risk of false positives, where legitimate emails may be blocked or placed in spam due to authentication misconfigurations
Difficulty coordinating settings across all mail systems, especially in environments with multiple services, legacy systems, or third-party senders

To address these challenges, organizations can transition to stricter DMARC policies using a phased and controlled approach.
The following section explains how to adopt DMARC safely while minimizing disruption and preventing misconfiguration related delivery failures.

Figure 1: Steps for Effective DMARC Implementation

2.1 Implementing DMARC and Starting with the "none" Policy

The first step in DMARC implementation is to configure DMARC with the policy set to none. Under this setting, both legitimate and suspicious emails that fail DMARC authentication are still delivered to recipients. At the same time, DMARC generates detailed reports that record the reasons for authentication failures and information about the sending sources.
The organization then collects and analyzes these DMARC reports to identify the causes of verification failures and resolve issues accordingly.
A common cause of DMARC failure is domain misalignment - where SPF and DKIM are configured correctly, but the sending domain does not match the domain authenticated by SPF/DKIM. This can be resolved using the following methods:

1. Resolving Domain Misalignment Issues

Align Domains: Ensure that the Envelope From (Return Path) domain matches the "From" header domain. When using third party email services, include their sending IP addresses in your SPF record.
DKIM Re Signing: When third party tools (e.g., mailing lists) modify messages, re sign outgoing emails with your domain's DKIM key to maintain alignment.

2. Handling Systems Where Alignment Is Difficult

If legacy systems or operational constraints prevent domain alignment, consider the following options:

Subdomain Segmentation: Assign problematic systems to dedicated subdomains. The subdomain can maintain a DMARC policy of "none," while the primary domain transitions to "quarantine" or "reject."
Utilizing DKIM: Match the d= tag in the DKIM signature with the "From" header domain. Using relaxed alignment allows DMARC to pass even when SPF alignment fails.

3. Fundamental Solutions

Mail Server Migration or Consolidation: Route all outbound email through a centralized SMTP gateway and apply consistent DKIM signing.
Implement ARC (Authenticated Received Chain): ARC preserves authentication results across email forwarding by adding sequential ARC headers. Even if SPF/DKIM break during forwarding, receiving servers can validate the original authentication chain.
Use Alternative Communication Tools: For mailing lists or systems where alignment cannot be achieved, consider moving communication to collaboration tools such as Microsoft Teams.

Organizations should also prepare for potential delivery issues after policy transitions by setting up a dedicated support channel and establishing internal procedures for resolving email related incidents.

2.2 Transitioning the DMARC Policy to "quarantine"

After analyzing DMARC reports and confirming that DMARC failures related to legitimate emails have been addressed, the next step is to change the policy to quarantine.
Under this policy, emails that fail DMARC verification are delivered to the recipient's spam folder. This provides a safety net - legitimate messages mistakenly identified as suspicious can still be reviewed by recipients.
During this stage, continue monitoring DMARC reports. If legitimate emails are still failing DMARC checks, review and correct the sending server configuration or DNS settings. The quarantine period enables organizations to address these issues with minimal business impact.

2.3 Transitioning the DMARC Policy to "reject"

Once the quarantine setting has been used for an appropriate period and the business impact has been minimized, the DMARC policy can be strengthened to reject. Under this policy, emails that fail DMARC authentication are blocked entirely, preventing recipients from receiving phishing emails and spoofed messages that impersonate the organization's domain.
However, the rejection policy is not a complete defense. For example:

Emails sent from compromised accounts
Attacks originating from DMARC compliant mail servers
may still be delivered.
Additionally, DMARC does not analyze links, attachments, or message content, so it must be combined with other security layers such as advanced spam filters and machine learning based threat detection.

2.4 Continuous DMARC Operation

Even after setting the DMARC policy to reject, continuous monitoring of DMARC reports remains critical. Effective DMARC operation provides ongoing security benefits, such as:

Blocking spoofed emails: Prevents fraudulent emails impersonating your domain from reaching customers and reduces the risk of social engineering attacks.
Preventing delivery failures of legitimate email: Helps detect misconfigurations early, ensuring reliable email delivery and preventing loss of business opportunities.

The goal of DMARC operation is not only to fix configuration issues but also to contribute to improving the overall email security ecosystem for recipient organizations.

3. Summary

Organizations hesitant to implement or strengthen DMARC can follow the phased approach outlined in this article to gradually transition policies while minimizing operational risks. Once DMARC is fully deployed, your organization can protect customers and partners from malicious spoofing and phishing attacks.
Strengthening DMARC not only enhances security but also contributes to maintaining customer trust and preserving the organization's brand reputation. Implementing and operating DMARC should be recognized as a strategic investment in long term organizational credibility.
We hope this article serves as a useful reference when planning and executing DMARC implementation and ongoing operation, contributing to stronger email security across your entire organization.