External penetration tests often reveal that many organizations have either misconfigured their Domain-based Message Authentication, Reporting, and Conformance (DMARC) records or lack one altogether. Recognizing the risks associated with these oversights is crucial, as they can leave your organization vulnerable to attacks.

The Basics of Email Security

Email security is primarily bolstered by three mechanisms: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DMARC. Each plays a vital role in safeguarding your emails:

A DMARC policy is specified in your domain's DNS records and dictates how receiving servers should handle emails that fail SPF and DKIM checks: rejecting the email outright, quarantining it for inspection, or allowing it through but marking it as suspicious. DMARC also provides a feedback mechanism, sending reports back to the domain owner about any emails that fail these checks — visibility that lets organizations monitor unauthorized use of their domains.

Understanding an Email's Structure

An email comprises two main parts: the envelope and the contents. The envelope contains information such as the sender's email and the recipient's address — much like the envelope of a traditional letter. The contents contain what is seen by the recipient: the "Email From" address, subject line, and body.

SPF and DKIM only validate the envelope portion of the email. They do not validate the "Email From" address seen by the recipient, which is part of the content. The envelope sender and the displayed "From" address can differ even when SPF and DKIM pass — and without DMARC, that gap lets attackers spoof a trusted source.

A Real-World Scenario of Email Spoofing

Imagine this: CompanyA frequently sends and receives large payments via wire transfer. An attacker, discovering that CompanyA lacks a DMARC record, decides to spoof their domain and registers a similar-looking domain — C0mpany4.com. After setting up SPF and DKIM records and building the domain's reputation over several months, they strike by emailing CompanyB's accounting team, impersonating a user at CompanyA and stating that CompanyA's banking information has been updated.

The envelope and content sender addresses differ, but without DMARC, the email passes SPF and DKIM checks and reaches the inbox, appearing to be from CompanyA. A proper DMARC implementation would have prevented this email from being delivered by ensuring alignment between the sender addresses — potentially preventing a security incident that could cost millions of dollars.

More traditional social-engineering tactics can also exploit weak DMARC configurations. A poorly configured or absent policy makes it easier for attackers to impersonate trusted contacts — a colleague, a manager, or a familiar vendor — increasing the likelihood that a recipient clicks a link or opens an attachment.

Broader Risk to Your Ecosystem

It is critical to understand that the risk isn't confined to your organization alone; it extends to your clients, customers, vendors, and partners. If your domain lacks a correctly configured DMARC record, attackers can spoof your domain and target these entities, potentially leading to compromised trust and financial loss. In light of recent advisories — including guidance from the NSA on thwarting advanced persistent threats that exploit email vulnerabilities — it's increasingly critical to implement a DMARC policy.

Ensuring a Correct DMARC Configuration

Setting up and leveraging DMARC is one of the more common recommendations our team makes during penetration tests and security assessments. For organizations implementing DMARC for the first time, it is generally best to start with a monitoring-only policy (p=none) while ensuring the rua tag is configured to receive aggregate reports. This allows you to analyze how DMARC would impact legitimate email traffic before enforcing stricter policies. Once you're confident all legitimate sources are properly authenticated, transition to p=quarantine or p=reject.

A well-configured DMARC policy typically includes the following:

Examples of DMARC Configurations

⚠ Poorly configured (monitoring only) v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com

This policy does not enforce any action on emails that fail SPF and DKIM checks, but it is a good starting point. It lets the domain owner monitor traffic and identify legitimate senders before enforcing a stricter policy. Leaving the policy at p=none indefinitely, however, provides no protection against spoofing.

✓ Correctly configured (enforcing + strict alignment) v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; adkim=s; aspf=s;

This policy rejects any emails failing the SPF or DKIM checks and enforces strict alignment, ensuring the domain in the DKIM signature and SPF match exactly with the "Email From" address. The rua tag specifies where aggregate reports are sent, providing valuable insight into authentication trends.

To protect your organization, review your DMARC record using tools like dig, nslookup, or online services like mxtoolbox. If your policy is missing or misconfigured, consult a security professional.

Wrapping It Up

In today's digital landscape, where email-based attacks are becoming more frequent and sophisticated, DMARC is no longer a luxury — it's a critical component of any organization's cybersecurity strategy. Properly configuring your DMARC record not only strengthens your email security but also reinforces trust with your customers, partners, and vendors by ensuring your domain cannot be easily spoofed.

DMARC's effectiveness goes beyond your own organization. By securing your domain, you contribute to a safer email ecosystem for everyone you communicate with. In a world where reputation and security are tightly intertwined, ensuring your DMARC policy is correctly configured could be the difference between maintaining your organization's integrity or facing severe consequences. Don't wait for a breach to act — proactively implementing DMARC is a straightforward step toward a more resilient, secure future for your business.

About the author — Scott Fingar (PNPT, eCPPT) is a Senior Cybersecurity Analyst and penetration tester. Setting up and leveraging DMARC is one of the most common recommendations his team makes during penetration tests and security assessments.

← back to all articles